wip

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
extract some logic from lookup app for future use with embedded outpost
2026-05-14 10:56:52 +02:00 · 2026-05-13 15:14:30 +02:00 · 2026-05-13 15:14:30 +02:00 · 2026-05-13 15:14:30 +02:00 · 2026-05-13 15:14:29 +02:00 · 2026-05-13 15:14:29 +02:00
249 changed files with 6059 additions and 2062 deletions
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -25,7 +25,7 @@ runs:
      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
      with:
-        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext libclang-dev libkadm5clnt-mit12 libkadm5clnt7t64-heimdal libkrb5-dev krb5-kdc krb5-user krb5-admin-server
        update: true
        upgrade: false
        install-recommends: false
@@ -52,19 +52,19 @@ runs:
      run: uv sync --all-extras --dev --locked
    - name: Setup rust (stable)
      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
      with:
        rustflags: ""
    - name: Setup rust (nightly)
      if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
      with:
        toolchain: nightly
        components: rustfmt
        rustflags: ""
    - name: Setup rust dependencies
      if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@711e1c3275189d76dcc4d34ddea63bf96ac49090 # v2
+      uses: taiki-e/install-action@ec28e287910af896fd98e04056d31fa68607e7ad # v2
      with:
        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
    - name: Setup node (web)
--- a/.github/workflows/qa-codeql.yml
+++ b/.github/workflows/qa-codeql.yml
@@ -28,10 +28,10 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@v4.35.4
        with:
          languages: ${{ matrix.language }}
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@v4.35.4
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@v4.35.4
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -5,7 +5,7 @@ on:
  workflow_dispatch:
    inputs:
      next_version:
-        description: Next major version (for example, if releasing 2042.2, this is 2042.4)
+        description: Next version (for example, if you're currently releasing 2026.5, then enter 2026.8)
        required: true
        type: string

@@ -68,10 +68,14 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
+        with:
+          dependencies: "system,python,go,node,runtime,rust-nightly"
      - name: Run migrations
        run: make migrate
      - name: Bump version
        run: "make bump version=${{ inputs.next_version }}.0-rc1"
+      - name: Re-generate API Clients
+        run: make gen
      - name: Create pull request
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
        with:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -191,7 +191,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
+      - uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
          aws-region: ${{ env.AWS_REGION }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -82,10 +82,14 @@ jobs:
          token: "${{ steps.app-token.outputs.token }}"
      - name: Setup authentik env
        uses: ./.github/actions/setup
+        with:
+          dependencies: "system,python,go,node,runtime,rust-nightly"
      - name: Run migrations
        run: make migrate
      - name: Bump version
        run: "make bump version=${{ inputs.version }}"
+      - name: Re-generate API Clients
+        run: make gen
      - name: Commit and push
        run: |
          # ID from https://api.github.com/users/authentik-automation[bot]
--- a/.npmrc
+++ b/.npmrc
@@ -0,0 +1,20 @@
+# Block lifecycle scripts (preinstall/install/postinstall/prepare) from dependencies.
+# This neutralizes the dominant npm supply-chain attack vector.
+#
+# Packages that legitimately need a build step (e.g. esbuild, chromedriver, tree-sitter)
+# must be rebuilt explicitly:
+#
+#   npm rebuild --foreground-scripts esbuild chromedriver tree-sitter tree-sitter-json
+ignore-scripts=true
+
+# Fail fast if the active Node/npm doesn't match the "engines" field.
+engine-strict=true
+
+# Pin exact versions so `npm install <pkg>` writes "1.2.3" not "^1.2.3".
+save-exact=true
+
+# Surface CVE warnings during install; doesn't block.
+audit=true
+
+# Suppress funding banners.
+fund=false
--- a/1
+++ b/1
@@ -34,6 +34,7 @@ packages/django-channels-postgres       @goauthentik/backend
 packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
+.npmrc                                  @goauthentik/frontend
 tsconfig.json                           @goauthentik/frontend
 package.json                            @goauthentik/frontend
 package-lock.json                       @goauthentik/frontend
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -143,6 +143,45 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d902e3d592a523def97af8f317b08ce16b7ab854c1985a0c671e6f15cebc236"

+[[package]]
+name = "asn1-rs"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 2.0.18",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "async-trait"
 version = "0.1.89"
@@ -176,10 +215,13 @@ dependencies = [
 "arc-swap",
 "argh",
 "authentik-axum",
+ "authentik-client",
 "authentik-common",
 "axum",
+ "axum-server",
 "color-eyre",
 "eyre",
+ "futures",
 "hyper-unix-socket",
 "hyper-util",
 "metrics",
@@ -187,9 +229,18 @@ dependencies = [
 "nix 0.31.2",
 "pyo3",
 "pyo3-build-config",
+ "rand 0.10.1",
+ "rustls",
+ "serde",
+ "serde_json",
+ "serde_repr",
 "sqlx",
+ "time",
 "tokio",
+ "tokio-tungstenite",
+ "tower",
 "tracing",
+ "url",
 "uuid",
 "which",
 ]
@@ -241,12 +292,14 @@ dependencies = [
 "config",
 "console-subscriber",
 "eyre",
+ "futures",
 "glob",
 "ipnet",
 "json-subscriber",
 "nix 0.31.2",
 "notify",
 "pin-project-lite",
+ "rcgen",
 "reqwest",
 "reqwest-middleware",
 "rustls",
@@ -264,6 +317,7 @@ dependencies = [
 "tracing-error",
 "tracing-subscriber",
 "url",
+ "uuid",
 ]

 [[package]]
@@ -542,6 +596,17 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"

+[[package]]
+name = "chacha20"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.3.0",
+ "rand_core 0.10.1",
+]
+
 [[package]]
 name = "chrono"
 version = "0.4.44"
@@ -779,6 +844,15 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "cpufeatures"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "crc"
 version = "3.4.0"
@@ -873,6 +947,20 @@ dependencies = [
 "zeroize",
 ]

+[[package]]
+name = "der-parser"
+version = "10.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
 [[package]]
 name = "deranged"
 version = "0.5.8"
@@ -1291,6 +1379,7 @@ dependencies = [
 "cfg-if",
 "libc",
 "r-efi 6.0.0",
+ "rand_core 0.10.1",
 "wasip2",
 "wasip3",
 ]
@@ -1744,16 +1833,6 @@ dependencies = [
 "serde",
 ]

-[[package]]
-name = "iri-string"
-version = "0.7.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d8e7418f59cc01c88316161279a7f665217ae316b388e58a0d10e29f54f1e5eb"
-dependencies = [
- "memchr",
- "serde",
-]
-
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.2"
@@ -2182,6 +2261,16 @@ dependencies = [
 "windows-sys 0.61.2",
 ]

+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+]
+
 [[package]]
 name = "num-bigint-dig"
 version = "0.8.6"
@@ -2411,6 +2500,15 @@ dependencies = [
 "memchr",
 ]

+[[package]]
+name = "oid-registry"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7"
+dependencies = [
+ "asn1-rs",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.21.4"
@@ -2812,6 +2910,17 @@ dependencies = [
 "rand_core 0.9.5",
 ]

+[[package]]
+name = "rand"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2e8e8bcc7961af1fdac401278c6a831614941f6164ee3bf4ce61b7edb162207"
+dependencies = [
+ "chacha20",
+ "getrandom 0.4.2",
+ "rand_core 0.10.1",
+]
+
 [[package]]
 name = "rand_chacha"
 version = "0.3.1"
@@ -2850,6 +2959,12 @@ dependencies = [
 "getrandom 0.3.4",
 ]

+[[package]]
+name = "rand_core"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63b8176103e19a2643978565ca18b50549f6101881c443590420e4dc998a3c69"
+
 [[package]]
 name = "rand_xoshiro"
 version = "0.7.0"
@@ -2877,6 +2992,19 @@ dependencies = [
 "bitflags 2.11.0",
 ]

+[[package]]
+name = "rcgen"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10b99e0098aa4082912d4c649628623db6aba77335e4f4569ff5083a6448b32e"
+dependencies = [
+ "aws-lc-rs",
+ "rustls-pki-types",
+ "time",
+ "x509-parser",
+ "yasna",
+]
+
 [[package]]
 name = "redox_syscall"
 version = "0.5.18"
@@ -3040,6 +3168,15 @@ dependencies = [
 "semver",
 ]

+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom",
+]
+
 [[package]]
 name = "rustix"
 version = "1.1.4"
@@ -3203,9 +3340,9 @@ checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"

 [[package]]
 name = "sentry"
-version = "0.48.0"
+version = "0.48.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e8ac94aab850a23d7507307cc505332ed2bafd36c65930dfc5c43610f9e9b477"
+checksum = "b93b3e19f45495ddd41d8222a152c48c84f6ba45abe9c69e2527e9cdea29bb5b"
 dependencies = [
 "cfg_aliases",
 "httpdate",
@@ -3400,9 +3537,9 @@ dependencies = [

 [[package]]
 name = "serde_with"
-version = "3.18.0"
+version = "3.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd5414fad8e6907dbdd5bc441a50ae8d6e26151a03b1de04d89a5576de61d01f"
+checksum = "f05839ce67618e14a09b286535c0d9c94e85ef25469b0e13cb4f844e5593eb19"
 dependencies = [
 "base64 0.22.1",
 "chrono",
@@ -3419,7 +3556,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
 dependencies = [
 "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
 "digest",
 ]

@@ -3430,7 +3567,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
 "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
 "digest",
 ]

@@ -3934,9 +4071,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"

 [[package]]
 name = "tokio"
-version = "1.52.1"
+version = "1.52.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6"
+checksum = "8fc7f01b389ac15039e4dc9531aa973a135d7a4135281b12d7c1bc79fd57fffe"
 dependencies = [
 "bytes",
 "libc",
@@ -4000,8 +4137,12 @@ checksum = "8f72a05e828585856dacd553fba484c242c46e391fb0e58917c942ee9202915c"
 dependencies = [
 "futures-util",
 "log",
+ "rustls",
+ "rustls-pki-types",
 "tokio",
+ "tokio-rustls",
 "tungstenite",
+ "webpki-roots 0.26.11",
 ]

 [[package]]
@@ -4082,21 +4223,21 @@ dependencies = [

 [[package]]
 name = "tower-http"
-version = "0.6.8"
+version = "0.6.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51"
 dependencies = [
 "bitflags 2.11.0",
 "bytes",
 "futures-util",
 "http",
 "http-body",
- "iri-string",
 "pin-project-lite",
 "tokio",
 "tower",
 "tower-layer",
 "tower-service",
+ "url",
 ]

 [[package]]
@@ -4215,8 +4356,11 @@ dependencies = [
 "httparse",
 "log",
 "rand 0.9.4",
+ "rustls",
+ "rustls-pki-types",
 "sha1",
 "thiserror 2.0.18",
+ "url",
 ]

 [[package]]
@@ -5087,6 +5231,24 @@ version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"

+[[package]]
+name = "x509-parser"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d43b0f71ce057da06bc0851b23ee24f3f86190b07203dd8f567d0b706a185202"
+dependencies = [
+ "asn1-rs",
+ "aws-lc-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom",
+ "oid-registry",
+ "rusticata-macros",
+ "thiserror 2.0.18",
+ "time",
+]
+
 [[package]]
 name = "yaml-rust2"
 version = "0.10.4"
@@ -5098,6 +5260,15 @@ dependencies = [
 "hashlink",
 ]

+[[package]]
+name = "yasna"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
+dependencies = [
+ "time",
+]
+
 [[package]]
 name = "yoke"
 version = "0.8.1"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -50,6 +50,11 @@ notify = "= 8.2.0"
 pin-project-lite = "= 0.2.17"
 pyo3 = "= 0.28.3"
 pyo3-build-config = "= 0.28.3"
+rand = "= 0.10.1"
+rcgen = { version = "= 0.14.7", default-features = false, features = [
+  "aws_lc_rs",
+  "fips",
+] }
 regex = "= 1.12.3"
 reqwest = { version = "= 0.13.3", features = [
  "form",
@@ -67,7 +72,7 @@ reqwest-middleware = { version = "= 0.5.1", features = [
  "rustls",
 ] }
 rustls = { version = "= 0.23.40", features = ["fips"] }
-sentry = { version = "= 0.48.0", default-features = false, features = [
+sentry = { version = "= 0.48.1", default-features = false, features = [
  "backtrace",
  "contexts",
  "debug-images",
@@ -80,7 +85,7 @@ sentry = { version = "= 0.48.0", default-features = false, features = [
 serde = { version = "= 1.0.228", features = ["derive"] }
 serde_json = "= 1.0.149"
 serde_repr = "= 0.1.20"
-serde_with = { version = "= 3.18.0", default-features = false, features = [
+serde_with = { version = "= 3.19.0", default-features = false, features = [
  "base64",
 ] }
 sqlx = { version = "= 0.8.6", default-features = false, features = [
@@ -97,12 +102,16 @@ sqlx = { version = "= 0.8.6", default-features = false, features = [
 tempfile = "= 3.27.0"
 thiserror = "= 2.0.18"
 time = { version = "= 0.3.47", features = ["macros"] }
-tokio = { version = "= 1.52.1", features = ["full", "tracing"] }
+tokio = { version = "= 1.52.3", features = ["full", "tracing"] }
 tokio-retry2 = "= 0.9.1"
 tokio-rustls = "= 0.26.4"
+tokio-tungstenite = { version = "= 0.29.0", features = [
+  "rustls-tls-webpki-roots",
+  "url",
+] }
 tokio-util = { version = "= 0.7.18", features = ["full"] }
 tower = "= 0.5.3"
-tower-http = { version = "= 0.6.8", features = ["timeout"] }
+tower-http = { version = "= 0.6.10", features = ["timeout"] }
 tracing = "= 0.1.44"
 tracing-error = "= 0.2.1"
 tracing-subscriber = { version = "= 0.3.23", features = [
@@ -260,28 +269,40 @@ publish.workspace = true
 [features]
 default = ["core", "proxy"]
 core = ["ak-common/core", "dep:pyo3", "dep:sqlx"]
-proxy = ["ak-common/proxy"]
+proxy = ["ak-common/proxy", "dep:ak-client"]

 [build-dependencies]
 pyo3-build-config.workspace = true

 [dependencies]
 ak-axum.workspace = true
+ak-client = { workspace = true, optional = true }
 ak-common.workspace = true
 arc-swap.workspace = true
 argh.workspace = true
+axum-server.workspace = true
 axum.workspace = true
 color-eyre.workspace = true
 eyre.workspace = true
+futures.workspace = true
 hyper-unix-socket.workspace = true
 hyper-util.workspace = true
-metrics.workspace = true
 metrics-exporter-prometheus.workspace = true
+metrics.workspace = true
 nix.workspace = true
 pyo3 = { workspace = true, optional = true }
+rand.workspace = true
+rustls.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+serde_repr.workspace = true
 sqlx = { workspace = true, optional = true }
+time.workspace = true
+tokio-tungstenite.workspace = true
 tokio.workspace = true
+tower.workspace = true
 tracing.workspace = true
+url.workspace = true
 uuid.workspace = true
 which.workspace = true

--- a/18
+++ b/18
@@ -125,7 +125,7 @@ core-i18n-extract:
 		--ignore website \
 		-l en

-install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
+install: node-install web-install core-install  ## Install all requires dependencies for `node`, `web` and `core`

 dev-drop-db:
 	$(eval pg_user := $(shell $(UV) run python -m authentik.lib.config postgresql.user 2>/dev/null))
@@ -228,14 +228,26 @@ gen-dev-config:  ## Generate a local development config file
 ## Node.js
 #########################

+# Packages whose install/postinstall scripts are required for correct
+# operation (binary downloads, native bindings). The root .npmrc sets
+# `ignore-scripts=true` to block dependency lifecycle scripts by default;
+# this list is rebuilt explicitly with scripts re-enabled. Audit any
+# additions: each entry runs arbitrary code at install time.
+TRUSTED_INSTALL_SCRIPTS := esbuild chromedriver tree-sitter tree-sitter-json
+
 node-install:  ## Install the necessary libraries to build Node.js packages
 	npm ci
-	npm ci --prefix web

 #########################
 ## Web
 #########################

+web-install: ## Install the necessary libraries to build the Authentik UI
+	npm ci --prefix web
+
+web-postinstall:  ## Trigger postinstall scripts for packages with native bindings or binary downloads, which are blocked by default for security reasons.
+	npm rebuild --prefix web --ignore-scripts=false --foreground-scripts $(TRUSTED_INSTALL_SCRIPTS)
+
 web-build: node-install  ## Build the Authentik UI
 	npm run --prefix web build

@@ -268,7 +280,7 @@ web-i18n-extract:

 docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it

-docs-install:
+docs-install: node-install
 	npm ci --prefix website

 docs-lint-fix: lint-spellcheck
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -42,11 +42,29 @@ def validate_auth(header: bytes, format="bearer") -> str | None:
    return auth_credentials


-class IPCUser(AnonymousUser):
+class VirtualUser(AnonymousUser):
+    is_active = True
+
+    @property
+    def type(self):
+        return UserTypes.INTERNAL_SERVICE_ACCOUNT
+
+    @property
+    def is_anonymous(self):
+        return False
+
+    @property
+    def is_authenticated(self):
+        return True
+
+    def all_roles(self):
+        return []
+
+
+class IPCUser(VirtualUser):
    """'Virtual' user for IPC communication between authentik core and the authentik router"""

    username = "authentik:system"
-    is_active = True
    is_superuser = True

    @property
@@ -62,17 +80,6 @@ class IPCUser(AnonymousUser):
    def has_module_perms(self, module):
        return True

-    @property
-    def is_anonymous(self):
-        return False
-
-    @property
-    def is_authenticated(self):
-        return True
-
-    def all_roles(self):
-        return []
-

 class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@@ -246,6 +246,25 @@ class GroupSerializer(ModelSerializer):
                )
        return superuser

+    def validate_users(self, users: list) -> list:
+        """Require add_user_to_group permission when adding new members via group PATCH."""
+        request: Request = self.context.get("request", None)
+        if not request:
+            return users
+        if not self.instance:
+            return users
+        # BulkManyRelatedField returns raw PKs, not model instances
+        current_user_pks = set(self.instance.users.values_list("pk", flat=True))
+        new_users = [u for u in users if u not in current_user_pks]
+        if not new_users:
+            return users
+        has_perm = request.user.has_perm(
+            "authentik_core.add_user_to_group"
+        ) or request.user.has_perm("authentik_core.add_user_to_group", self.instance)
+        if not has_perm:
+            raise ValidationError(_("User does not have permission to add members to this group."))
+        return users
+
    class Meta:
        model = Group
        fields = [
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -297,6 +297,36 @@ class UserSerializer(ModelSerializer):
            raise ValidationError(_("Setting a user to internal service account is not allowed."))
        return user_type

+    def validate_groups(self, groups: list) -> list:
+        """Require enable_group_superuser permission when adding a user to a superuser group."""
+        request: Request = self.context.get("request", None)
+        if not request:
+            return groups
+        current_groups = set(self.instance.groups.all()) if self.instance else set()
+        for group in groups:
+            if not group.is_superuser:
+                continue
+            if group in current_groups:
+                continue
+            if not request.user.has_perm("authentik_core.enable_group_superuser"):
+                raise ValidationError(
+                    _("User does not have permission to add members to a superuser group.")
+                )
+        return groups
+
+    def validate_roles(self, roles: list) -> list:
+        """Require change_role permission when assigning new roles to a user."""
+        request: Request = self.context.get("request", None)
+        if not request:
+            return roles
+        current_roles = set(self.instance.roles.all()) if self.instance else set()
+        new_roles = [r for r in roles if r not in current_roles]
+        if not new_roles:
+            return roles
+        if not request.user.has_perm("authentik_rbac.change_role"):
+            raise ValidationError(_("User does not have permission to assign roles."))
+        return roles
+
    def validate(self, attrs: dict) -> dict:
        if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
            raise ValidationError(_("Can't modify internal service account users"))
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@@ -158,3 +158,58 @@ class TestGroupsAPI(APITestCase):
            data={"name": generate_id(), "is_superuser": True},
        )
        self.assertEqual(res.status_code, 201)
+
+    def test_patch_users_no_perm(self):
+        """PATCH group with new users without add_user_to_group must be rejected."""
+        group = Group.objects.create(name=generate_id())
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"users": [self.user.pk]},
+            content_type="application/json",
+        )
+        self.assertEqual(res.status_code, 400)
+
+    def test_patch_users_with_global_perm(self):
+        """PATCH group with new users with global add_user_to_group must succeed."""
+        group = Group.objects.create(name=generate_id())
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group")
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"users": [self.user.pk]},
+            content_type="application/json",
+        )
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_users_with_obj_perm(self):
+        """PATCH group with new users with object-level add_user_to_group must succeed."""
+        group = Group.objects.create(name=generate_id())
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group", group)
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"users": [self.user.pk]},
+            content_type="application/json",
+        )
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_existing_users_no_perm(self):
+        """PATCH group keeping existing membership without add_user_to_group must succeed."""
+        group = Group.objects.create(name=generate_id())
+        group.users.add(self.user)
+        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
+        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"users": [self.user.pk]},
+            content_type="application/json",
+        )
+        self.assertEqual(res.status_code, 200)
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@@ -12,6 +12,7 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    AuthenticatedSession,
+    Group,
    Session,
    Token,
    User,
@@ -25,6 +26,7 @@ from authentik.core.tests.utils import (
 )
 from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
+from authentik.rbac.models import Role
 from authentik.stages.email.models import EmailStage

 INVALID_PASSWORD_HASH = "not-a-valid-hash"
@@ -939,3 +941,79 @@ class TestUsersAPI(APITestCase):
        self.assertIn(user2.pk, pks)
        # Verify user2 comes before user1 in descending order
        self.assertLess(pks.index(user2.pk), pks.index(user1.pk))
+
+
+class TestUsersAPIGroupRoleValidation(APITestCase):
+    """Test that PATCH /api/v3/core/users/{pk}/ enforces group and role permission checks."""
+
+    def setUp(self) -> None:
+        self.actor = create_test_user()
+        self.target = create_test_user()
+
+    def _patch(self, data: dict):
+        self.client.force_login(self.actor)
+        return self.client.patch(
+            reverse("authentik_api:user-detail", kwargs={"pk": self.target.pk}),
+            data=data,
+            content_type="application/json",
+        )
+
+    def test_patch_superuser_group_no_perm(self):
+        """Assigning a superuser group without enable_group_superuser must be rejected."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        group = Group.objects.create(name=generate_id(), is_superuser=True)
+        res = self._patch({"groups": [str(group.pk)]})
+        self.assertEqual(res.status_code, 400)
+
+    def test_patch_superuser_group_with_perm(self):
+        """Assigning a superuser group with enable_group_superuser must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        self.actor.assign_perms_to_managed_role("authentik_core.enable_group_superuser")
+        group = Group.objects.create(name=generate_id(), is_superuser=True)
+        res = self._patch({"groups": [str(group.pk)]})
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_non_superuser_group_no_perm(self):
+        """Assigning a non-superuser group without special permission must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        group = Group.objects.create(name=generate_id(), is_superuser=False)
+        res = self._patch({"groups": [str(group.pk)]})
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_existing_superuser_group_no_perm(self):
+        """Keeping an existing superuser group membership without the permission must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        group = Group.objects.create(name=generate_id(), is_superuser=True)
+        self.target.groups.add(group)
+        res = self._patch({"groups": [str(group.pk)]})
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_role_no_perm(self):
+        """Assigning a new role without change_role must be rejected."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        role = Role.objects.create(name=generate_id())
+        res = self._patch({"roles": [str(role.pk)]})
+        self.assertEqual(res.status_code, 400)
+
+    def test_patch_role_with_perm(self):
+        """Assigning a new role with change_role must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        self.actor.assign_perms_to_managed_role("authentik_rbac.change_role")
+        role = Role.objects.create(name=generate_id())
+        res = self._patch({"roles": [str(role.pk)]})
+        self.assertEqual(res.status_code, 200)
+
+    def test_patch_existing_role_no_perm(self):
+        """Keeping an existing role without change_role must succeed."""
+        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
+        role = Role.objects.create(name=generate_id())
+        self.target.roles.add(role)
+        res = self._patch({"roles": [str(role.pk)]})
+        self.assertEqual(res.status_code, 200)
--- a/authentik/endpoints/connectors/agent/api/connectors.py
+++ b/authentik/endpoints/connectors/agent/api/connectors.py
@@ -7,7 +7,7 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import ChoiceField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import AllowAny, IsAuthenticated
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -44,7 +44,6 @@ from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_ME


 class AgentConnectorSerializer(ConnectorSerializer):
-
    class Meta(ConnectorSerializer.Meta):
        model = AgentConnector
        fields = ConnectorSerializer.Meta.fields + [
@@ -63,7 +62,6 @@ class AgentConnectorSerializer(ConnectorSerializer):


 class MDMConfigSerializer(PassiveSerializer):
-
    platform = ChoiceField(choices=OSFamily.choices)
    enrollment_token = PrimaryKeyRelatedField(
        queryset=EnrollmentToken.objects.including_expired().all()
@@ -89,7 +87,6 @@ class AgentConnectorViewSet(
    UsedByMixin,
    ModelViewSet,
 ):
-
    queryset = AgentConnector.objects.all()
    serializer_class = AgentConnectorSerializer
    search_fields = ["name"]
@@ -121,6 +118,8 @@ class AgentConnectorViewSet(
        methods=["POST"],
        detail=False,
        authentication_classes=[AgentEnrollmentAuth],
+        # Permissions are handled via AgentEnrollmentAuth
+        permission_classes=[AllowAny],
    )
    def enroll(self, request: Request):
        token: EnrollmentToken = request.auth
@@ -151,7 +150,13 @@ class AgentConnectorViewSet(
        request=OpenApiTypes.NONE,
        responses=AgentConfigSerializer(),
    )
-    @action(methods=["GET"], detail=False, authentication_classes=[AgentAuth])
+    @action(
+        methods=["GET"],
+        detail=False,
+        authentication_classes=[AgentAuth],
+        # Permissions are handled via AgentAuth
+        permission_classes=[AllowAny],
+    )
    def agent_config(self, request: Request):
        token: DeviceToken = request.auth
        connector: AgentConnector = token.device.connector.agentconnector
@@ -165,7 +170,13 @@ class AgentConnectorViewSet(
        request=DeviceFacts(),
        responses={204: OpenApiResponse(description="Successfully checked in")},
    )
-    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
+    @action(
+        methods=["POST"],
+        detail=False,
+        authentication_classes=[AgentAuth],
+        # Permissions are handled via AgentAuth
+        permission_classes=[AllowAny],
+    )
    def check_in(self, request: Request):
        token: DeviceToken = request.auth
        data = DeviceFacts(data=request.data)
--- a/authentik/endpoints/connectors/agent/auth.py
+++ b/authentik/endpoints/connectors/agent/auth.py
@@ -1,5 +1,6 @@
 from typing import Any

+from django.db.models import Model
 from django.http import HttpRequest
 from django.utils.timezone import now
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
@@ -9,7 +10,7 @@ from rest_framework.exceptions import PermissionDenied
 from rest_framework.request import Request
 from structlog.stdlib import get_logger

-from authentik.api.authentication import IPCUser, validate_auth
+from authentik.api.authentication import VirtualUser, validate_auth
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import User
 from authentik.crypto.apps import MANAGED_KEY
@@ -25,9 +26,18 @@ LOGGER = get_logger()
 PLATFORM_ISSUER = "goauthentik.io/platform"


-class DeviceUser(IPCUser):
+class DeviceUser(VirtualUser):
+
    username = "authentik:endpoints:device"

+    def has_perm(self, perm: str, obj: Model | None = None) -> bool:
+        if perm in [
+            "authentik_core.view_user",
+            "authentik_core.view_group",
+        ]:
+            return True
+        return False
+

 class AgentEnrollmentAuth(BaseAuthentication):

--- a/authentik/endpoints/connectors/agent/tests/test_agent_api.py
+++ b/authentik/endpoints/connectors/agent/tests/test_agent_api.py
@@ -223,3 +223,17 @@ class TestAgentAPI(APITestCase):
            data={"platform": OSFamily.macOS, "enrollment_token": self.token.pk},
        )
        self.assertEqual(res.status_code, 200)
+
+    def test_users_list(self):
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_other_api_forbidden(self):
+        response = self.client.get(
+            reverse("authentik_api:application-list"),
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
--- a/authentik/enterprise/endpoints/connectors/agent/api/connectors.py
+++ b/authentik/enterprise/endpoints/connectors/agent/api/connectors.py
@@ -2,6 +2,7 @@ from django.urls import reverse
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
+from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
 from structlog.stdlib import get_logger
@@ -25,7 +26,13 @@ class AgentConnectorViewSetMixin:
        request=OpenApiTypes.NONE,
        responses=AgentAuthenticationResponse(),
    )
-    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
+    @action(
+        methods=["POST"],
+        detail=False,
+        authentication_classes=[AgentAuth],
+        # Permissions are handled via AgentAuth
+        permission_classes=[AllowAny],
+    )
    @enterprise_action
    def auth_ia(self, request: Request) -> Response:
        token: DeviceToken = request.auth
--- a/authentik/enterprise/providers/ws_federation/processors/sign_in.py
+++ b/authentik/enterprise/providers/ws_federation/processors/sign_in.py
@@ -1,4 +1,5 @@
 from dataclasses import dataclass
+from urllib.parse import urlparse

 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -55,7 +56,9 @@ class SignInRequest:
        _, provider = req.get_app_provider()
        if not req.wreply:
            req.wreply = provider.acs_url
-        if not req.wreply.startswith(provider.acs_url):
+        reply = urlparse(req.wreply)
+        configured = urlparse(provider.acs_url)
+        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
            raise ValueError("Invalid wreply")
        return req

--- a/authentik/enterprise/providers/ws_federation/processors/sign_out.py
+++ b/authentik/enterprise/providers/ws_federation/processors/sign_out.py
@@ -1,4 +1,5 @@
 from dataclasses import dataclass
+from urllib.parse import urlparse

 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -32,7 +33,9 @@ class SignOutRequest:
        _, provider = req.get_app_provider()
        if not req.wreply:
            req.wreply = provider.acs_url
-        if not req.wreply.startswith(provider.acs_url):
+        reply = urlparse(req.wreply)
+        configured = urlparse(provider.acs_url)
+        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
            raise ValueError("Invalid wreply")
        return req

--- a/authentik/enterprise/providers/ws_federation/tests/test_sign_in.py
+++ b/authentik/enterprise/providers/ws_federation/tests/test_sign_in.py
@@ -27,12 +27,27 @@ class TestWSFedSignIn(TestCase):
            name=generate_id(),
            authorization_flow=self.flow,
            signing_kp=self.cert,
+            acs_url="https://t.goauthentik.io",
+            audience="foo",
        )
        self.app = Application.objects.create(
            name=generate_id(), slug=generate_id(), provider=self.provider
        )
        self.factory = RequestFactory()

+    def test_wreply(self):
+        request = self.factory.get(
+            "/?wreply=https://t.goauthentik.io/foo&wa=wsignin1.0&wtrealm=foo",
+            user=get_anonymous_user(),
+        )
+        SignInRequest.parse(request)
+        with self.assertRaises(ValueError):
+            request = self.factory.get(
+                "/?wreply=https://t.goauthentik.io.invalid.com&wa=wsignin1.0&wtrealm=foo",
+                user=get_anonymous_user(),
+            )
+            SignInRequest.parse(request)
+
    def test_token_gen(self):
        request = self.factory.get("/", user=get_anonymous_user())
        proc = SignInProcessor(
--- a/authentik/providers/oauth2/api/tokens.py
+++ b/authentik/providers/oauth2/api/tokens.py
@@ -9,10 +9,10 @@ from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet

+from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
-from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken


@@ -20,7 +20,7 @@ class ExpiringBaseGrantModelSerializer(ModelSerializer, MetaNameSerializer):
    """Serializer for BaseGrantModel and ExpiringBaseGrant"""

    user = UserSerializer()
-    provider = OAuth2ProviderSerializer()
+    provider = ProviderSerializer()
    scope = ListField(child=CharField())

    class Meta:
--- a/authentik/sources/saml/api/source.py
+++ b/authentik/sources/saml/api/source.py
@@ -4,7 +4,6 @@ from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ValidationError
@@ -20,14 +19,6 @@ from authentik.sources.saml.processors.metadata import MetadataProcessor
 class SAMLSourceSerializer(SourceSerializer):
    """SAMLSource Serializer"""

-    url_issuer = SerializerMethodField()
-
-    def get_url_issuer(self, instance: SAMLSource) -> str:
-        """Get the resolved Issuer, falling back to the metadata URL when unset"""
-        if "request" not in self._context:
-            return instance.issuer or ""
-        return instance.get_issuer(self._context["request"]._request)
-
    def validate(self, attrs: dict):
        if attrs.get("verification_kp"):
            if not attrs.get("signed_assertion") and not attrs.get("signed_response"):
@@ -46,7 +37,6 @@ class SAMLSourceSerializer(SourceSerializer):
            "group_matching_mode",
            "pre_authentication_flow",
            "issuer",
-            "url_issuer",
            "sso_url",
            "slo_url",
            "allow_idp_initiated",
--- a/authentik/sources/saml/models.py
+++ b/authentik/sources/saml/models.py
@@ -256,7 +256,7 @@ class SAMLSource(Source):

    def get_issuer(self, request: HttpRequest) -> str:
        """Get Source's Issuer, falling back to our Metadata URL if none is set"""
-        if not self.issuer:
+        if self.issuer is None:
            return self.build_full_url(request, view="metadata")
        return self.issuer

--- a/authentik/sources/saml/processors/response.py
+++ b/authentik/sources/saml/processors/response.py
@@ -1,6 +1,7 @@
 """authentik saml source processor"""

 from base64 import b64decode
+from datetime import UTC, datetime
 from time import mktime
 from typing import TYPE_CHECKING

@@ -40,6 +41,7 @@ from authentik.sources.saml.exceptions import (
    InvalidSignature,
    MismatchedRequestID,
    MissingSAMLResponse,
+    SAMLException,
    UnsupportedNameIDFormat,
 )
 from authentik.sources.saml.models import (
@@ -95,6 +97,7 @@ class ResponseProcessor:

        self._verify_request_id()
        self._verify_status()
+        self._verify_conditions()

    def _decrypt_response(self):
        """Decrypt SAMLResponse EncryptedAssertion Element"""
@@ -126,6 +129,20 @@ class ResponseProcessor:
        )
        self._assertion = decrypted_assertion

+    def _verify_conditions(self):
+        conditions = self.get_assertion().find(f"{{{NS_SAML_ASSERTION}}}Conditions")
+        if conditions is None:
+            return
+        _now = now()
+        before = conditions.attrib.get("NotBefore")
+        if before:
+            if datetime.fromisoformat(before).replace(tzinfo=UTC) > _now:
+                raise SAMLException("Assertion is not valid yet or expired.")
+        on_or_after = conditions.attrib.get("NotOnOrAfter")
+        if on_or_after:
+            if datetime.fromisoformat(on_or_after).replace(tzinfo=UTC) < _now:
+                raise SAMLException("Assertion is not valid yet or expired.")
+
    def _verify_signature(self, signature_node: _Element):
        """Verify a single signature node"""
        xmlsec.tree.add_ids(self._root, ["ID"])
@@ -215,10 +232,9 @@ class ResponseProcessor:
        user has an attribute that refers to our Source for cleanup. The user is also deleted
        on logout and periodically."""
        # Create a temporary User
-        name_id = self._get_name_id()
-        username = name_id.text
+        name_id_el, name_id = self._get_name_id()
        # trim username to ensure it is max 150 chars
-        username = f"ak-{username[: USERNAME_MAX_LENGTH - 14]}-transient"
+        username = f"ak-{name_id[: USERNAME_MAX_LENGTH - 14]}-transient"
        expiry = mktime(
            (now() + timedelta_from_string(self._source.temporary_user_delete_after)).timetuple()
        )
@@ -234,20 +250,18 @@ class ResponseProcessor:
            },
            path=self._source.get_user_path(),
        )
-        LOGGER.debug("Created temporary user for NameID Transient", username=name_id.text)
+        LOGGER.debug("Created temporary user for NameID Transient", username=name_id)
        user.set_unusable_password()
        user.save()
-        UserSAMLSourceConnection.objects.create(
-            source=self._source, user=user, identifier=name_id.text
-        )
+        UserSAMLSourceConnection.objects.create(source=self._source, user=user, identifier=name_id)
        return SAMLSourceFlowManager(
            source=self._source,
            request=self._http_request,
-            identifier=str(name_id.text),
+            identifier=str(name_id),
            user_info={
                "root": self._root,
                "assertion": self.get_assertion(),
-                "name_id": name_id,
+                "name_id": name_id_el,
            },
            policy_context={},
        )
@@ -258,7 +272,7 @@ class ResponseProcessor:
            return self._assertion
        return self._root.find(f"{{{NS_SAML_ASSERTION}}}Assertion")

-    def _get_name_id(self) -> Element:
+    def _get_name_id(self) -> tuple[Element, str]:
        """Get NameID Element"""
        assertion = self.get_assertion()
        if assertion is None:
@@ -269,12 +283,11 @@ class ResponseProcessor:
        name_id = subject.find(f"{{{NS_SAML_ASSERTION}}}NameID")
        if name_id is None:
            raise ValueError("NameID element not found")
-        return name_id
+        return name_id, "".join(name_id.itertext())

    def _get_name_id_filter(self) -> dict[str, str]:
        """Returns the subject's NameID as a Filter for the `User`"""
-        name_id_el = self._get_name_id()
-        name_id = name_id_el.text
+        name_id_el, name_id = self._get_name_id()
        if not name_id:
            raise UnsupportedNameIDFormat("Subject's NameID is empty.")
        _format = name_id_el.attrib["Format"]
@@ -295,26 +308,26 @@ class ResponseProcessor:

    def prepare_flow_manager(self) -> SourceFlowManager:
        """Prepare flow plan depending on whether or not the user exists"""
-        name_id = self._get_name_id()
+        name_id_el, name_id = self._get_name_id()
        # Sanity check, show a warning if NameIDPolicy doesn't match what we go
-        if self._source.name_id_policy != name_id.attrib["Format"]:
+        if self._source.name_id_policy != name_id_el.attrib["Format"]:
            LOGGER.warning(
                "NameID from IdP doesn't match our policy",
                expected=self._source.name_id_policy,
-                got=name_id.attrib["Format"],
+                got=name_id_el.attrib["Format"],
            )
        # transient NameIDs are handled separately as they don't have to go through flows.
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
+        if name_id_el.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
            return self._handle_name_id_transient()

        return SAMLSourceFlowManager(
            source=self._source,
            request=self._http_request,
-            identifier=str(name_id.text),
+            identifier=str(name_id),
            user_info={
                "root": self._root,
                "assertion": self.get_assertion(),
-                "name_id": name_id,
+                "name_id": name_id_el,
            },
            policy_context={
                "saml_response": etree.tostring(self._root),
--- a/authentik/sources/saml/tests/test_property_mappings.py
+++ b/authentik/sources/saml/tests/test_property_mappings.py
@@ -4,6 +4,7 @@ from base64 import b64encode

 from defusedxml.lxml import fromstring
 from django.test import TestCase
+from freezegun import freeze_time

 from authentik.common.saml.constants import NS_SAML_ASSERTION
 from authentik.core.tests.utils import RequestFactory, create_test_flow
@@ -34,6 +35,7 @@ class TestPropertyMappings(TestCase):
            pre_authentication_flow=create_test_flow(),
        )

+    @freeze_time("2022-10-14T14:15:00")
    def test_user_base_properties(self):
        """Test user base properties"""
        properties = self.source.get_base_user_properties(
@@ -61,6 +63,7 @@ class TestPropertyMappings(TestCase):
            properties = self.source.get_base_group_properties(root=ROOT, group_id=group_id)
            self.assertEqual(properties, {"name": group_id})

+    @freeze_time("2022-10-14T14:15:00")
    def test_user_property_mappings(self):
        """Test user property mappings"""
        self.source.user_property_mappings.add(
@@ -94,6 +97,7 @@ class TestPropertyMappings(TestCase):
            },
        )

+    @freeze_time("2022-10-14T14:15:00")
    def test_group_property_mappings(self):
        """Test group property mappings"""
        self.source.group_property_mappings.add(
--- a/authentik/sources/saml/tests/test_response.py
+++ b/authentik/sources/saml/tests/test_response.py
@@ -3,6 +3,7 @@
 from base64 import b64encode

 from django.test import TestCase
+from freezegun import freeze_time

 from authentik.core.tests.utils import RequestFactory, create_test_cert, create_test_flow
 from authentik.crypto.models import CertificateKeyPair
@@ -46,6 +47,7 @@ class TestResponseProcessor(TestCase):
        ):
            ResponseProcessor(self.source, request).parse()

+    @freeze_time("2022-10-14T14:15:00")
    def test_success(self):
        """Test success"""
        request = self.factory.post(
@@ -72,6 +74,7 @@ class TestResponseProcessor(TestCase):
            },
        )

+    @freeze_time("2022-10-14T14:16:40Z")
    def test_success_with_status_message_and_detail(self):
        """Test success with StatusMessage and StatusDetail present (should not raise error)"""
        request = self.factory.post(
@@ -88,6 +91,7 @@ class TestResponseProcessor(TestCase):
        sfm = parser.prepare_flow_manager()
        self.assertEqual(sfm.user_properties["username"], "jens@goauthentik.io")

+    @freeze_time("2022-10-14T14:16:40Z")
    def test_error_with_message_and_detail(self):
        """Test error status with StatusMessage and StatusDetail includes both in error"""
        request = self.factory.post(
@@ -105,6 +109,7 @@ class TestResponseProcessor(TestCase):
        self.assertIn("User account is disabled", str(ctx.exception))
        self.assertIn("Authentication failed", str(ctx.exception))

+    @freeze_time("2024-08-07T15:48:09.325Z")
    def test_encrypted_correct(self):
        """Test encrypted"""
        key = load_fixture("fixtures/encrypted-key.pem")
@@ -142,6 +147,7 @@ class TestResponseProcessor(TestCase):
        with self.assertRaises(InvalidEncryption):
            parser.parse()

+    @freeze_time("2022-10-14T14:16:40Z")
    def test_verification_assertion(self):
        """Test verifying signature inside assertion"""
        key = load_fixture("fixtures/signature_cert.pem")
@@ -164,6 +170,7 @@ class TestResponseProcessor(TestCase):
        parser = ResponseProcessor(self.source, request)
        parser.parse()

+    @freeze_time("2014-07-17T01:02:18Z")
    def test_verification_assertion_duplicate(self):
        """Test verifying signature inside assertion, where the response has another assertion
        before our signed assertion"""
@@ -186,9 +193,35 @@ class TestResponseProcessor(TestCase):

        parser = ResponseProcessor(self.source, request)
        parser.parse()
-        self.assertNotEqual(parser._get_name_id().text, "bad")
-        self.assertEqual(parser._get_name_id().text, "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
+        self.assertNotEqual(parser._get_name_id()[1], "bad")
+        self.assertEqual(parser._get_name_id()[1], "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")

+    @freeze_time("2022-10-14T14:15:00")
+    def test_name_id_comment(self):
+        """Test comment in name ID"""
+        fixture = load_fixture("fixtures/response_signed_assertion_dup.xml")
+        fixture = fixture.replace(
+            "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7",
+            "_ce3d2948b4cf20146dee0a0b3dd6f<!--x-->69b6cf86f62d7",
+        )
+        key = load_fixture("fixtures/signature_cert.pem")
+        kp = CertificateKeyPair.objects.create(
+            name=generate_id(),
+            certificate_data=key,
+        )
+        self.source.verification_kp = kp
+        self.source.signed_assertion = True
+        self.source.signed_response = False
+        request = self.factory.post(
+            "/",
+            data={"SAMLResponse": b64encode(fixture.encode()).decode()},
+        )
+
+        parser = ResponseProcessor(self.source, request)
+        parser.parse()
+        self.assertEqual(parser._get_name_id()[1], "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
+
+    @freeze_time("2014-07-17T01:02:18Z")
    def test_verification_response(self):
        """Test verifying signature inside response"""
        key = load_fixture("fixtures/signature_cert.pem")
@@ -211,6 +244,7 @@ class TestResponseProcessor(TestCase):
        parser = ResponseProcessor(self.source, request)
        parser.parse()

+    @freeze_time("2024-01-18T06:20:48Z")
    def test_verification_response_and_assertion(self):
        """Test verifying signature inside response and assertion"""
        key = load_fixture("fixtures/signature_cert.pem")
@@ -257,6 +291,7 @@ class TestResponseProcessor(TestCase):
        with self.assertRaisesMessage(InvalidSignature, ""):
            parser.parse()

+    @freeze_time("2022-10-14T14:15:00")
    def test_verification_no_signature(self):
        """Test rejecting response without signature when signed_assertion is True"""
        key = load_fixture("fixtures/signature_cert.pem")
@@ -303,6 +338,7 @@ class TestResponseProcessor(TestCase):
        with self.assertRaisesMessage(InvalidSignature, ""):
            parser.parse()

+    @freeze_time("2025-10-30T05:45:47.619Z")
    def test_signed_encrypted_response(self):
        """Test signed & encrypted response"""
        verification_key = load_fixture("fixtures/signature_cert2.pem")
@@ -330,6 +366,7 @@ class TestResponseProcessor(TestCase):
        parser = ResponseProcessor(self.source, request)
        parser.parse()

+    @freeze_time("2026-01-21T14:23")
    def test_transient(self):
        """Test SAML transient NameID"""
        verification_key = load_fixture("fixtures/signature_cert2.pem")
--- a/authentik/sources/saml/tests/test_views.py
+++ b/authentik/sources/saml/tests/test_views.py
@@ -4,6 +4,7 @@ from base64 import b64encode

 from django.test import RequestFactory, TestCase
 from django.urls import reverse
+from freezegun import freeze_time

 from authentik.core.tests.utils import create_test_flow
 from authentik.flows.planner import PLAN_CONTEXT_REDIRECT, FlowPlan
@@ -26,6 +27,7 @@ class TestViews(TestCase):
            pre_authentication_flow=create_test_flow(),
        )

+    @freeze_time("2022-10-14T14:15:00")
    def test_enroll(self):
        """Enroll"""
        flow = create_test_flow()
@@ -52,6 +54,7 @@ class TestViews(TestCase):
        plan: FlowPlan = self.client.session.get(SESSION_KEY_PLAN)
        self.assertIsNotNone(plan)

+    @freeze_time("2022-10-14T14:15:00")
    def test_enroll_redirect(self):
        """Enroll when attempting to access a provider"""
        initial_redirect = f"http://{generate_id()}"
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/blueprints/example/flow-default-account-lockdown.yaml
+++ b/blueprints/example/flow-default-account-lockdown.yaml
@@ -36,14 +36,10 @@ entries:
      attrs:
        order: 50
        initial_value: |
-          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
-          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == current_user_uuid
-          pending_user = None
-          if target_uuid and not is_self_service:
-              from authentik.core.models import User
-
-              pending_user = User.objects.filter(pk=target_uuid).first()
+          actor_uuid = str(getattr(http_request.user, "pk", ""))
+          pending_user = user if getattr(user, "is_authenticated", False) else None
+          target_uuid = str(getattr(pending_user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == actor_uuid
          if is_self_service:
              return (
                  "<p><strong>You are about to lock down your own account.</strong></p>"
@@ -63,14 +59,15 @@ entries:
          from django.utils.html import escape

          if pending_user:
-              email = escape(pending_user.email or pending_user.name or "No email")
-              user_html = f"<p><code>{escape(pending_user.username)}</code> ({email})</p>"
+              detail = pending_user.email or pending_user.name
+              user_html = f"<code>{escape(pending_user.username)}</code>"
+              if detail and detail != pending_user.username:
+                  user_html = f"{user_html} ({escape(detail)})"
          else:
-              user_html = "<p>the account selected when this one-time lockdown link was created</p>"
+              user_html = "the account selected when this one-time lockdown link was created"

          return (
-              "<p><strong>You are about to lock down the following account:</strong></p>"
-              f"{user_html}"
+              f"<p><strong>You are about to lock down the following account:</strong> {user_html}</p>"
              "<p>This is an emergency action for cutting off access to the account right away. "
              "It does not lock the administrator who opened this page.</p>"
              "<p><strong>This will immediately:</strong></p>"
@@ -99,9 +96,9 @@ entries:
      attrs:
        order: 100
        initial_value: |
-          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
-          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          actor_uuid = str(getattr(http_request.user, "pk", ""))
+          target_uuid = str(getattr(user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == actor_uuid
          if is_self_service:
              info = (
                  "Use this if you no longer trust your current password or sessions. "
@@ -134,9 +131,9 @@ entries:
      attrs:
        order: 200
        placeholder: |
-          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
-          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          actor_uuid = str(getattr(http_request.user, "pk", ""))
+          target_uuid = str(getattr(user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == actor_uuid
          if is_self_service:
              return "Describe why you are locking your account..."
          return "Describe why this account is being locked down..."
@@ -184,14 +181,10 @@ entries:
      attrs:
        order: 300
        initial_value: |
-          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
          from django.utils.html import escape
-          from authentik.core.models import User

-          if target_uuid:
-              target = User.objects.filter(pk=target_uuid).first()
-              if target:
-                  return f"<p><code>{escape(target.username)}</code> has been locked down.</p>"
+          if getattr(user, "is_authenticated", False):
+              return f"<p><code>{escape(user.username)}</code> has been locked down.</p>"

          return "<p>The selected account has been locked down.</p>"
        initial_value_expression: true
@@ -221,9 +214,9 @@ entries:
      attrs:
        name: default-account-lockdown-admin-policy
        expression: |
-          target_uuid = (request.http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
-          current_user_uuid = str(getattr(request.user, "pk", "") or getattr(request.http_request.user, "pk", ""))
-          return bool(target_uuid) and target_uuid != current_user_uuid
+          actor_uuid = str(getattr(request.http_request.user, "pk", ""))
+          target_uuid = str(getattr(request.user, "pk", ""))
+          return bool(target_uuid) and target_uuid != actor_uuid
      identifiers:
        name: default-account-lockdown-admin-policy
      id: admin-policy
--- a/go.mod
+++ b/go.mod
@@ -7,10 +7,10 @@ require (
 	beryju.io/radius-eap v0.1.0
 	github.com/avast/retry-go/v4 v4.7.0
 	github.com/coreos/go-oidc/v3 v3.18.0
-	github.com/getsentry/sentry-go v0.46.1
+	github.com/getsentry/sentry-go v0.46.2
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.13
-	github.com/go-openapi/runtime v0.29.4
+	github.com/go-openapi/runtime v0.29.5
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
@@ -57,7 +57,7 @@ require (
 	github.com/go-openapi/jsonreference v0.21.5 // indirect
 	github.com/go-openapi/loads v0.23.3 // indirect
 	github.com/go-openapi/spec v0.22.4 // indirect
-	github.com/go-openapi/strfmt v0.26.1 // indirect
+	github.com/go-openapi/strfmt v0.26.2 // indirect
 	github.com/go-openapi/swag/conv v0.26.0 // indirect
 	github.com/go-openapi/swag/fileutils v0.26.0 // indirect
 	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
@@ -90,10 +90,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.49.0 // indirect
-	golang.org/x/net v0.52.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/crypto v0.50.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -20,8 +20,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.46.1 h1:mZyQFaQYkPxAdDG4HR8gDg6j4CnKYVWt4TF92N7i3XY=
-github.com/getsentry/sentry-go v0.46.1/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
+github.com/getsentry/sentry-go v0.46.2 h1:1jhYwrKGa3sIpo/y5iDNXS5wDoT7I1KNzMHrnK6ojns=
+github.com/getsentry/sentry-go v0.46.2/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -51,12 +51,12 @@ github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe
 github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
 github.com/go-openapi/loads v0.23.3 h1:g5Xap1JfwKkUnZdn+S0L3SzBDpcTIYzZ5Qaag0YDkKQ=
 github.com/go-openapi/loads v0.23.3/go.mod h1:NOH07zLajXo8y55hom0omlHWDVVvCwBM/S+csCK8LqA=
-github.com/go-openapi/runtime v0.29.4 h1:k2lDxrGoSAJRdhFG2tONKMpkizY/4X1cciSdtzk4Jjo=
-github.com/go-openapi/runtime v0.29.4/go.mod h1:K0k/2raY6oqXJnZAgWJB2i/12QKrhUKpZcH4PfV9P18=
+github.com/go-openapi/runtime v0.29.5 h1:uc5+/TtqLIfDBTUxnF3uppoGMt+9DzonwUWsviINlrY=
+github.com/go-openapi/runtime v0.29.5/go.mod h1:D9IUbWccdYv+km8QwmAm90FZvDcQk47vP2Y7y5as/D8=
 github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
 github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
-github.com/go-openapi/strfmt v0.26.1 h1:7zGCHji7zSYDC2tCXIusoxYQz/48jAf2q+sF6wXTG+c=
-github.com/go-openapi/strfmt v0.26.1/go.mod h1:Zslk5VZPOISLwmWTMBIS7oiVFem1o1EI6zULY8Uer7Y=
+github.com/go-openapi/strfmt v0.26.2 h1:ysjheCh4i1rmFEo2LanhELDNucNzfWTZhUDKgWWPaFM=
+github.com/go-openapi/strfmt v0.26.2/go.mod h1:fXh1e449cyUn2NYuz+wb3wARBUdMl7qPEZwX00nqivY=
 github.com/go-openapi/swag/conv v0.26.0 h1:5yGGsPYI1ZCva93U0AoKi/iZrNhaJEjr324YVsiD89I=
 github.com/go-openapi/swag/conv v0.26.0/go.mod h1:tpAmIL7X58VPnHHiSO4uE3jBeRamGsFsfdDeDtb5ECE=
 github.com/go-openapi/swag/fileutils v0.26.0 h1:WJoPRvsA7QRiiWluowkLJa9jaYR7FCuxmDvnCgaRRxU=
@@ -77,10 +77,10 @@ github.com/go-openapi/swag/typeutils v0.26.0 h1:2kdEwdiNWy+JJdOvu5MA2IIg2SylWAFu
 github.com/go-openapi/swag/typeutils v0.26.0/go.mod h1:oovDuIUvTrEHVMqWilQzKzV4YlSKgyZmFh7AlfABNVE=
 github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ=
 github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ=
-github.com/go-openapi/testify/enable/yaml/v2 v2.4.2 h1:5zRca5jw7lzVREKCZVNBpysDNBjj74rBh0N2BGQbSR0=
-github.com/go-openapi/testify/enable/yaml/v2 v2.4.2/go.mod h1:XVevPw5hUXuV+5AkI1u1PeAm27EQVrhXTTCPAF85LmE=
-github.com/go-openapi/testify/v2 v2.4.2 h1:tiByHpvE9uHrrKjOszax7ZvKB7QOgizBWGBLuq0ePx4=
-github.com/go-openapi/testify/v2 v2.4.2/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
+github.com/go-openapi/testify/enable/yaml/v2 v2.5.0 h1:3hZD1fwydvCx/cc1R2uYNQirHqf2s6lqpKV3FcNTURA=
+github.com/go-openapi/testify/enable/yaml/v2 v2.5.0/go.mod h1:TvDZKBH7ZbMaF3EqH2AwTvNQCmzyZq8K1agRjf1B+Nk=
+github.com/go-openapi/testify/v2 v2.5.0 h1:UOCr63aAsMIDydZbZGqo5Ev01D4eydItRbekDuZMJLw=
+github.com/go-openapi/testify/v2 v2.5.0/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
 github.com/go-openapi/validate v0.25.2 h1:12NsfLAwGegqbGWr2CnvT65X/Q2USJipmJ9b7xDJZz0=
 github.com/go-openapi/validate v0.25.2/go.mod h1:Pgl1LpPPGFnZ+ys4/hTlDiRYQdI1ocKypgE+8Q8BLfY=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
@@ -216,8 +216,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab h1:628ME69lBm9C6JY2wXhAph/yjN3jezx1z7BIDLUwxjo=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -227,8 +227,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -245,8 +245,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -258,8 +258,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@@ -110,17 +110,6 @@ func (a *Application) getTraefikForwardUrl(r *http.Request) (*url.URL, error) {

 // getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl
 func (a *Application) getNginxForwardUrl(r *http.Request) (*url.URL, error) {
-	ou := r.Header.Get("X-Original-URI")
-	if ou != "" {
-		// Turn this full URL into a relative URL
-		u := &url.URL{
-			Host:   "",
-			Scheme: "",
-			Path:   ou,
-		}
-		a.log.WithField("url", u.String()).Info("building forward URL from X-Original-URI")
-		return u, nil
-	}
 	h := r.Header.Get("X-Original-URL")
 	if len(h) < 1 {
 		return nil, errors.New("no forward URL found")
--- a/internal/outpost/proxyv2/application/mode_forward_nginx_test.go
+++ b/internal/outpost/proxyv2/application/mode_forward_nginx_test.go
@@ -5,10 +5,8 @@ import (
 	"net/http/httptest"
 	"testing"

-	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
-	"goauthentik.io/internal/outpost/proxyv2/types"
 	api "goauthentik.io/packages/client-go"
 )

@@ -47,67 +45,6 @@ func TestForwardHandleNginx_Single_Headers(t *testing.T) {
 	assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
 }

-func TestForwardHandleNginx_Single_URI(t *testing.T) {
-	a := newTestApplication()
-	req, _ := http.NewRequest("GET", "https://foo.bar/outpost.goauthentik.io/auth/nginx", nil)
-	req.Header.Set("X-Original-URI", "/app")
-
-	rr := httptest.NewRecorder()
-	a.forwardHandleNginx(rr, req)
-
-	assert.Equal(t, http.StatusUnauthorized, rr.Code)
-
-	s, _ := a.sessions.Get(req, a.SessionName())
-	assert.Equal(t, "/app", s.Values[constants.SessionRedirect])
-}
-
-func TestForwardHandleNginx_Single_Claims(t *testing.T) {
-	a := newTestApplication()
-	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
-	req.Header.Set("X-Original-URI", "/")
-
-	rr := httptest.NewRecorder()
-	a.forwardHandleNginx(rr, req)
-
-	s, _ := a.sessions.Get(req, a.SessionName())
-	s.ID = uuid.New().String()
-	s.Options.MaxAge = 86400
-	s.Values[constants.SessionClaims] = types.Claims{
-		Sub: "foo",
-		Proxy: &types.ProxyClaims{
-			UserAttributes: map[string]any{
-				"username": "foo",
-				"password": "bar",
-				"additionalHeaders": map[string]any{
-					"foo": "bar",
-				},
-			},
-		},
-	}
-	err := a.sessions.Save(req, rr, s)
-	if err != nil {
-		panic(err)
-	}
-
-	rr = httptest.NewRecorder()
-	a.forwardHandleNginx(rr, req)
-
-	h := rr.Result().Header
-
-	assert.Equal(t, []string{"Basic Zm9vOmJhcg=="}, h["Authorization"])
-	assert.Equal(t, []string{"bar"}, h["Foo"])
-	assert.Equal(t, []string{""}, h["User-Agent"])
-	assert.Equal(t, []string{""}, h["X-Authentik-Email"])
-	assert.Equal(t, []string{""}, h["X-Authentik-Groups"])
-	assert.Equal(t, []string{""}, h["X-Authentik-Jwt"])
-	assert.Equal(t, []string{""}, h["X-Authentik-Meta-App"])
-	assert.Equal(t, []string{""}, h["X-Authentik-Meta-Jwks"])
-	assert.Equal(t, []string{""}, h["X-Authentik-Meta-Outpost"])
-	assert.Equal(t, []string{""}, h["X-Authentik-Name"])
-	assert.Equal(t, []string{"foo"}, h["X-Authentik-Uid"])
-	assert.Equal(t, []string{""}, h["X-Authentik-Username"])
-}
-
 func TestForwardHandleNginx_Domain_Blank(t *testing.T) {
 	a := newTestApplication()
 	a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
--- a/lifecycle/ak
+++ b/lifecycle/ak
@@ -38,6 +38,10 @@ function run_authentik {
            echo cargo run -- "$@"
        fi
        ;;
+    manage)
+        shift 1
+        echo python -m manage "$@"
+        ;;
    *)
        echo "$@"
        ;;
--- a/lifecycle/container/Dockerfile
+++ b/lifecycle/container/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1

 # Stage: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:735dd688da64d22ebd9dd374b3e7e5a874635668fd2a6ec20ca1f99264294086 AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:4f2b45e32dc7d2caf66b6dbd59fac50e32f8077769efe0ef4d4c3f114672537d AS node-builder

 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -101,8 +101,6 @@ RUN --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
    rustc --version && \
    cargo --version

-RUN cat /root/.rustup/settings.toml
-
 # Stage: Download uv
 FROM ghcr.io/astral-sh/uv:0.11.5@sha256:555ac94f9a22e656fc5f2ce5dfee13b04e94d099e46bb8dd3a73ec7263f2e484 AS uv
 # Stage: Base python image
@@ -228,8 +226,7 @@ RUN apt-get update && \
    # Required for runtime
    apt-get install -y --no-install-recommends \
    libpq5 libmaxminddb0 ca-certificates \
-    krb5-multidev libkrb5-3 libkdb5-10 libkadm5clnt-mit12 \
-    heimdal-multidev libkadm5clnt7t64-heimdal \
+    libkadm5clnt-mit12 libkadm5clnt7t64-heimdal \
    libltdl7 libxslt1.1 && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
--- a/lifecycle/container/proxy.Dockerfile
+++ b/lifecycle/container/proxy.Dockerfile
@@ -21,33 +21,45 @@ COPY web .
 RUN npm run build-proxy

 # Stage 2: Build
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.26.2-trixie@sha256:4a7137ea573f79c86ae451ff05817ed762ef5597fcf732259e97abeb3108d873 AS builder
+FROM ghcr.io/goauthentik/fips-debian:trixie-slim-fips@sha256:7726387c78b5787d2146868c2ccc8948a3591d0a5a6436f7780c8c28acc76341 AS builder

-ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT

-ARG GOOS=$TARGETOS
-ARG GOARCH=$TARGETARCH
-
-WORKDIR /go/src/goauthentik.io
-
+ENV PATH="/root/.cargo/bin:$PATH"
+SHELL ["/bin/sh", "-o", "pipefail", "-c"]
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
-    dpkg --add-architecture arm64 && \
+    --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
    apt-get update && \
-    apt-get install -y --no-install-recommends crossbuild-essential-arm64 gcc-aarch64-linux-gnu
+    # Required for installing pip packages
+    apt-get install -y --no-install-recommends \
+    # Build essentials
+    build-essential \
+    # aws-lc deps
+    cmake clang golang && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal --default-toolchain none && \
+    rustup install && \
+    rustup default "$(sed -n 's/channel = "\(.*\)"/\1/p' rust-toolchain.toml)" && \
+    rustc --version && \
+    cargo --version
+# See https://github.com/aws/aws-lc-rs/issues/569
+ENV AWS_LC_FIPS_SYS_CC=clang

-RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
-    --mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \
-    --mount=type=cache,target=/go/pkg/mod \
-    go mod download
-
-COPY . .
-RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
-    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
-    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
-    go build -o /go/proxy ./cmd/proxy
+RUN --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
+    --mount=type=bind,target=Cargo.toml,src=Cargo.toml \
+    --mount=type=bind,target=Cargo.lock,src=Cargo.lock \
+    --mount=type=bind,target=.cargo/,src=.cargo/ \
+    --mount=type=bind,target=src/,src=src/ \
+    --mount=type=bind,target=packages/,src=packages/ \
+    --mount=type=bind,target=authentik/lib/default.yml,src=authentik/lib/default.yml \
+    # Required otherwise workspace discovery fails
+    --mount=type=bind,target=website/scripts/docsmg/,src=website/scripts/docsmg/ \
+    --mount=type=cache,id=cargo-git-db-$TARGETARCH$TARGETVARIANT,target=/root/.cargo/git/db/ \
+    --mount=type=cache,id=cargo-registry-$TARGETARCH$TARGETVARIANT,target=/root/.cargo/registry/ \
+    --mount=type=cache,id=rust-target-$TARGETARCH$TARGETVARIANT,target=/build/target/ \
+    cargo build --package authentik --no-default-features --features proxy --locked --release && \
+    cp ./target/release/authentik /bin/authentik

 # Stage 3: Run
 FROM ghcr.io/goauthentik/fips-debian:trixie-slim-fips@sha256:7726387c78b5787d2146868c2ccc8948a3591d0a5a6436f7780c8c28acc76341
@@ -72,13 +84,13 @@ RUN apt-get update && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/*

-COPY --from=builder /go/proxy /
+COPY --from=builder /bin/authentik /
 COPY --from=web-builder /static/robots.txt /web/robots.txt
 COPY --from=web-builder /static/security.txt /web/security.txt
 COPY --from=web-builder /static/dist/ /web/dist/
 COPY --from=web-builder /static/authentik/ /web/authentik/

-HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/proxy", "healthcheck" ]
+HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/authentik", "healthcheck" ]

 EXPOSE 9000 9300 9443

@@ -87,4 +99,4 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
    GOFIPS=1

-ENTRYPOINT ["/proxy"]
+ENTRYPOINT ["/authentik", "proxy"]
--- a/locale/de_DE/LC_MESSAGES/django.mo
+++ b/locale/de_DE/LC_MESSAGES/django.mo
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-05-13 05:39+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -226,6 +226,10 @@ msgstr ""
 msgid "The slug '{slug}' is reserved and cannot be used for applications."
 msgstr ""

+#: authentik/core/api/groups.py
+msgid "User does not have permission to add members to this group."
+msgstr ""
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -256,6 +260,14 @@ msgstr ""
 msgid "Setting a user to internal service account is not allowed."
 msgstr ""

+#: authentik/core/api/users.py
+msgid "User does not have permission to add members to a superuser group."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "User does not have permission to assign roles."
+msgstr ""
+
 #: authentik/core/api/users.py
 msgid "Can't modify internal service account users"
 msgstr ""
--- a/locale/en/dictionaries/people.txt
+++ b/locale/en/dictionaries/people.txt
@@ -11,3 +11,4 @@ Naur
 Wärting
 Aadit
 Kilby
+Kahmen
--- a/locale/en/dictionaries/software-terms.txt
+++ b/locale/en/dictionaries/software-terms.txt
@@ -164,3 +164,4 @@ yamltags
 zxcvbn
 ~uuid
 ~uuids
+wreply
--- a/locale/no_NO/LC_MESSAGES/django.mo
+++ b/locale/no_NO/LC_MESSAGES/django.mo
--- a/locale/pt_BR/LC_MESSAGES/django.mo
+++ b/locale/pt_BR/LC_MESSAGES/django.mo
--- a/packages/ak-common/Cargo.toml
+++ b/packages/ak-common/Cargo.toml
@@ -22,11 +22,13 @@ axum-server.workspace = true
 config-rs.workspace = true
 console-subscriber.workspace = true
 eyre.workspace = true
+futures.workspace = true
 glob.workspace = true
 ipnet.workspace = true
 json-subscriber.workspace = true
 notify.workspace = true
 pin-project-lite.workspace = true
+rcgen.workspace = true
 reqwest.workspace = true
 reqwest-middleware.workspace = true
 rustls.workspace = true
@@ -43,6 +45,7 @@ tracing-error.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
 url.workspace = true
+uuid.workspace = true

 [dev-dependencies]
 nix.workspace = true
--- a/packages/ak-common/src/api.rs
+++ b/packages/ak-common/src/api.rs
@@ -1,6 +1,6 @@
 //! Utilities for working with the authentik API client.

-use ak_client::apis::configuration::Configuration;
+use ak_client::{apis::configuration::Configuration, models::Pagination};
 use eyre::{Result, eyre};
 use url::Url;

@@ -60,6 +60,42 @@ pub fn make_config() -> Result<Configuration> {
    })
 }

+/// Fetch all pages from a paginated API endpoint, returning all results combined.
+///
+/// - `fetch`: a function that takes a page number and returns a future resolving to a paginated
+/// response.
+/// - `get_pagination`: a function that extracts the [`Pagination`] metadata from a response.
+/// - `get_results`: a function that extracts the result items from a response.
+pub async fn fetch_all<T, R, E, F, Fut>(
+    fetch: F,
+    get_pagination: impl Fn(&R) -> &Pagination,
+    get_results: impl Fn(R) -> Vec<T>,
+) -> std::result::Result<Vec<T>, E>
+where
+    F: Fn(i32) -> Fut,
+    Fut: Future<Output = std::result::Result<R, E>>,
+{
+    let mut page = 1;
+    let mut results = Vec::with_capacity(0);
+
+    loop {
+        let response = fetch(page).await?;
+        let next = get_pagination(&response).next;
+        if page == 1 {
+            let count = get_pagination(&response).count as usize;
+            results.reserve(count);
+        }
+        results.extend(get_results(response));
+        if next > 0.0 {
+            page += 1;
+        } else {
+            break;
+        }
+    }
+
+    Ok(results)
+}
+
 #[cfg(test)]
 mod tests {
    use serde_json::json;
--- a/packages/ak-common/src/config/schema.rs
+++ b/packages/ak-common/src/config/schema.rs
@@ -3,8 +3,9 @@ use std::{collections::HashMap, net::SocketAddr, num::NonZeroUsize};
 use ipnet::IpNet;
 use serde::{Deserialize, Serialize};

-pub(super) const KEYS_TO_PARSE_AS_LIST: [&str; 4] = [
+pub(super) const KEYS_TO_PARSE_AS_LIST: [&str; 5] = [
    "listen.http",
+    "listen.https",
    "listen.metrics",
    "listen.trusted_proxy_cidrs",
    "log.http_headers",
@@ -59,6 +60,7 @@ pub struct PostgreSQLConfig {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ListenConfig {
    pub http: Vec<SocketAddr>,
+    pub https: Vec<SocketAddr>,
    pub metrics: Vec<SocketAddr>,
    pub debug_tokio: SocketAddr,
    pub trusted_proxy_cidrs: Vec<IpNet>,
--- a/packages/ak-common/src/tls/mod.rs
+++ b/packages/ak-common/src/tls/mod.rs
@@ -7,6 +7,9 @@ use tracing::trace;

 use crate::config;

+pub mod self_signed;
+pub mod store;
+
 /// Dummy resolver for FIPS compliance check.
 #[derive(Debug)]
 struct EmptyCertResolver;
--- a/packages/ak-common/src/tls/self_signed.rs
+++ b/packages/ak-common/src/tls/self_signed.rs
@@ -0,0 +1,52 @@
+use eyre::Result;
+use rcgen::{
+    Certificate, CertificateParams, DistinguishedName, DnType, ExtendedKeyUsagePurpose, KeyPair,
+    KeyUsagePurpose, PKCS_RSA_SHA256, SanType,
+};
+use rustls::{
+    crypto::aws_lc_rs::sign::any_supported_type,
+    pki_types::{CertificateDer, PrivateKeyDer},
+    sign::CertifiedKey,
+};
+use time::{Duration, OffsetDateTime};
+
+pub fn generate() -> Result<(Certificate, KeyPair)> {
+    let signing_key = KeyPair::generate_for(&PKCS_RSA_SHA256)?;
+
+    let mut params = CertificateParams::default();
+    params.not_before = OffsetDateTime::now_utc();
+    params.not_after = OffsetDateTime::now_utc() + Duration::days(365);
+    params.distinguished_name = {
+        let mut dn = DistinguishedName::new();
+        dn.push(DnType::OrganizationName, "authentik");
+        dn.push(DnType::CommonName, "authentik default certificate");
+        dn
+    };
+    params.subject_alt_names = vec![SanType::DnsName("*".try_into()?)];
+    params.key_usages = vec![
+        KeyUsagePurpose::DigitalSignature,
+        KeyUsagePurpose::KeyEncipherment,
+    ];
+    params.extended_key_usages = vec![ExtendedKeyUsagePurpose::ServerAuth];
+
+    let cert = params.self_signed(&signing_key)?;
+
+    Ok((cert, signing_key))
+}
+
+pub fn generate_certifiedkey() -> Result<CertifiedKey> {
+    let (cert, keypair) = generate()?;
+
+    let cert_der = cert.der().to_vec();
+    let key_der = keypair.serialize_der();
+
+    let private_key =
+        PrivateKeyDer::try_from(key_der).map_err(|_| rcgen::Error::CouldNotParseKeyPair)?;
+    let signing_key =
+        any_supported_type(&private_key).map_err(|_| rcgen::Error::CouldNotParseKeyPair)?;
+
+    Ok(CertifiedKey::new(
+        vec![CertificateDer::from(cert_der)],
+        signing_key,
+    ))
+}
--- a/packages/ak-common/src/tls/store.rs
+++ b/packages/ak-common/src/tls/store.rs
@@ -0,0 +1,92 @@
+use std::{collections::HashMap, sync::Arc};
+
+use ak_client::apis::{
+    configuration::Configuration,
+    crypto_api::{
+        crypto_certificatekeypairs_retrieve, crypto_certificatekeypairs_view_certificate_retrieve,
+        crypto_certificatekeypairs_view_private_key_retrieve,
+    },
+};
+use eyre::{Report, Result};
+use futures::FutureExt as _;
+use rustls::{
+    crypto::CryptoProvider,
+    pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject as _},
+    sign::CertifiedKey,
+};
+use tokio::sync::Mutex;
+use uuid::Uuid;
+
+#[derive(Debug)]
+pub struct Certificate {
+    pub fingerprint: String,
+
+    pub certificate: String,
+    pub key: String,
+
+    pub certified_key: Arc<CertifiedKey>,
+}
+
+#[derive(Clone, Debug, Default)]
+pub struct CertificateStore {
+    certificates: Arc<Mutex<HashMap<Uuid, Arc<Certificate>>>>,
+}
+
+impl CertificateStore {
+    pub fn new() -> Self {
+        Self::default()
+    }
+
+    pub async fn ensure_keypair(
+        &self,
+        api_config: &Configuration,
+        kp_uuid: Uuid,
+    ) -> Result<Arc<Certificate>> {
+        let kp_uuid_s = kp_uuid.to_string();
+
+        let fingerprint = crypto_certificatekeypairs_retrieve(api_config, &kp_uuid_s)
+            .await?
+            .fingerprint_sha256;
+
+        if let Some(certificate) = self.certificates.lock().await.get(&kp_uuid)
+            && let Some(fingerprint) = &fingerprint
+            && &certificate.fingerprint == fingerprint
+        {
+            return Ok(Arc::clone(certificate));
+        }
+
+        let (cert, key) = tokio::try_join!(
+            crypto_certificatekeypairs_view_certificate_retrieve(api_config, &kp_uuid_s, None,)
+                .map(|res| res.map_err(Report::from)),
+            crypto_certificatekeypairs_view_private_key_retrieve(api_config, &kp_uuid_s, None,)
+                .map(|res| res.map_err(Report::from)),
+        )?;
+
+        let certified_key = {
+            let cert_chain = CertificateDer::pem_reader_iter(cert.data.as_bytes())
+                .collect::<Result<Vec<_>, _>>()?;
+            let key_der = PrivateKeyDer::from_pem_reader(key.data.as_bytes())?;
+            let provider = CryptoProvider::get_default().expect("no rustls provider installed");
+            Arc::new(CertifiedKey::new(
+                cert_chain,
+                provider.key_provider.load_private_key(key_der)?,
+            ))
+        };
+
+        let cert = Arc::new(Certificate {
+            fingerprint: fingerprint.unwrap_or_default(),
+            certificate: cert.data,
+            key: key.data,
+            certified_key,
+        });
+
+        if !cert.fingerprint.is_empty() {
+            self.certificates
+                .lock()
+                .await
+                .insert(kp_uuid, Arc::clone(&cert));
+        }
+
+        Ok(cert)
+    }
+}
--- a/packages/ak-common/src/tracing.rs
+++ b/packages/ak-common/src/tracing.rs
@@ -30,12 +30,12 @@ pub fn install() -> Result<()> {
    }

    if config.debug {
-        let console_layer = console_subscriber::ConsoleLayer::builder()
-            .server_addr(config.listen.debug_tokio)
-            .spawn();
+        // let console_layer = console_subscriber::ConsoleLayer::builder()
+        //     .server_addr(config.listen.debug_tokio)
+        //     .spawn();
        tracing_subscriber::registry()
            .with(ErrorLayer::default())
-            .with(console_layer)
+            // .with(console_layer)
            .with(
                fmt::layer()
                    .compact()
@@ -186,12 +186,9 @@ pub mod sentry {
            sentry_dsn: Some(config.sentry_dsn),
            environment: config.environment,
            send_pii: config.send_pii,
-            #[expect(
-                clippy::cast_possible_truncation,
-                reason = "This is fine, we'll never get big values here."
-            )]
            #[expect(
                clippy::as_conversions,
+                clippy::cast_possible_truncation,
                reason = "This is fine, we'll never get big values here."
            )]
            sample_rate: config.traces_sample_rate as f32,
--- a/packages/client-ts/src/models/ExpiringBaseGrantModel.ts
+++ b/packages/client-ts/src/models/ExpiringBaseGrantModel.ts
@@ -12,8 +12,8 @@
 * Do not edit the class manually.
 */

-import type { OAuth2Provider } from "./OAuth2Provider";
-import { OAuth2ProviderFromJSON, OAuth2ProviderToJSON } from "./OAuth2Provider";
+import type { Provider } from "./Provider";
+import { ProviderFromJSON, ProviderToJSON } from "./Provider";
 import type { User } from "./User";
 import { UserFromJSON, UserToJSON } from "./User";

@@ -31,10 +31,10 @@ export interface ExpiringBaseGrantModel {
    readonly pk: number;
    /**
     *
-     * @type {OAuth2Provider}
+     * @type {Provider}
     * @memberof ExpiringBaseGrantModel
     */
-    provider: OAuth2Provider;
+    provider: Provider;
    /**
     *
     * @type {User}
@@ -86,7 +86,7 @@ export function ExpiringBaseGrantModelFromJSONTyped(
    }
    return {
        pk: json["pk"],
-        provider: OAuth2ProviderFromJSON(json["provider"]),
+        provider: ProviderFromJSON(json["provider"]),
        user: UserFromJSON(json["user"]),
        isExpired: json["is_expired"],
        expires: json["expires"] == null ? undefined : new Date(json["expires"]),
@@ -107,7 +107,7 @@ export function ExpiringBaseGrantModelToJSONTyped(
    }

    return {
-        provider: OAuth2ProviderToJSON(value["provider"]),
+        provider: ProviderToJSON(value["provider"]),
        user: UserToJSON(value["user"]),
        expires: value["expires"] == null ? value["expires"] : value["expires"].toISOString(),
        scope: value["scope"],
--- a/packages/client-ts/src/models/SAMLSource.ts
+++ b/packages/client-ts/src/models/SAMLSource.ts
@@ -179,12 +179,6 @@ export interface SAMLSource {
     * @memberof SAMLSource
     */
    issuer?: string;
-    /**
-     * Get the resolved Issuer, falling back to the metadata URL when unset
-     * @type {string}
-     * @memberof SAMLSource
-     */
-    readonly urlIssuer: string;
    /**
     * URL that the initial Login request is sent to.
     * @type {string}
@@ -287,7 +281,6 @@ export function instanceOfSAMLSource(value: object): value is SAMLSource {
    if (!("iconThemedUrls" in value) || value["iconThemedUrls"] === undefined) return false;
    if (!("preAuthenticationFlow" in value) || value["preAuthenticationFlow"] === undefined)
        return false;
-    if (!("urlIssuer" in value) || value["urlIssuer"] === undefined) return false;
    if (!("ssoUrl" in value) || value["ssoUrl"] === undefined) return false;
    return true;
 }
@@ -337,7 +330,6 @@ export function SAMLSourceFromJSONTyped(json: any, ignoreDiscriminator: boolean)
                : GroupMatchingModeEnumFromJSON(json["group_matching_mode"]),
        preAuthenticationFlow: json["pre_authentication_flow"],
        issuer: json["issuer"] == null ? undefined : json["issuer"],
-        urlIssuer: json["url_issuer"],
        ssoUrl: json["sso_url"],
        sloUrl: json["slo_url"] == null ? undefined : json["slo_url"],
        allowIdpInitiated:
@@ -386,7 +378,6 @@ export function SAMLSourceToJSONTyped(
        | "managed"
        | "icon_url"
        | "icon_themed_urls"
-        | "url_issuer"
    > | null,
    ignoreDiscriminator: boolean = false,
 ): any {
--- a/packages/client-ts/src/models/TokenModel.ts
+++ b/packages/client-ts/src/models/TokenModel.ts
@@ -12,8 +12,8 @@
 * Do not edit the class manually.
 */

-import type { OAuth2Provider } from "./OAuth2Provider";
-import { OAuth2ProviderFromJSON, OAuth2ProviderToJSON } from "./OAuth2Provider";
+import type { Provider } from "./Provider";
+import { ProviderFromJSON, ProviderToJSON } from "./Provider";
 import type { User } from "./User";
 import { UserFromJSON, UserToJSON } from "./User";

@@ -31,10 +31,10 @@ export interface TokenModel {
    readonly pk: number;
    /**
     *
-     * @type {OAuth2Provider}
+     * @type {Provider}
     * @memberof TokenModel
     */
-    provider: OAuth2Provider;
+    provider: Provider;
    /**
     *
     * @type {User}
@@ -96,7 +96,7 @@ export function TokenModelFromJSONTyped(json: any, ignoreDiscriminator: boolean)
    }
    return {
        pk: json["pk"],
-        provider: OAuth2ProviderFromJSON(json["provider"]),
+        provider: ProviderFromJSON(json["provider"]),
        user: UserFromJSON(json["user"]),
        isExpired: json["is_expired"],
        expires: json["expires"] == null ? undefined : new Date(json["expires"]),
@@ -119,7 +119,7 @@ export function TokenModelToJSONTyped(
    }

    return {
-        provider: OAuth2ProviderToJSON(value["provider"]),
+        provider: ProviderToJSON(value["provider"]),
        user: UserToJSON(value["user"]),
        expires: value["expires"] == null ? value["expires"] : value["expires"].toISOString(),
        scope: value["scope"],
--- a/packages/logger-js/lib/shared.js
+++ b/packages/logger-js/lib/shared.js
@@ -60,7 +60,7 @@ export const LogLevels = /** @type {Level[]} */ (Object.keys(LogLevelLabel));
 /**
 * @callback LoggerFactory
 * @param {string | null} [prefix]
- * @param {...string} args
+ * @param {...string[]} args
 * @returns {Logger}
 */

@@ -207,7 +207,7 @@ export function pinoLight(options) {
 * Creates a logger with the given prefix.
 *
 * @param {string} [prefix]
- * @param {...string} args
+ * @param {...string[]} args
 * @returns {Logger}
 *
 */
--- a/packages/logger-js/package-lock.json
+++ b/packages/logger-js/package-lock.json
@@ -1,12 +1,12 @@
 {
    "name": "@goauthentik/logger-js",
-    "version": "1.1.1",
+    "version": "1.1.2",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/logger-js",
-            "version": "1.1.1",
+            "version": "1.1.2",
            "license": "MIT",
            "devDependencies": {
                "@eslint/js": "^9.39.3",
@@ -68,7 +68,7 @@
        },
        "../tsconfig": {
            "name": "@goauthentik/tsconfig",
-            "version": "1.0.8",
+            "version": "1.0.9",
            "dev": true,
            "license": "MIT",
            "engines": {
--- a/packages/logger-js/package.json
+++ b/packages/logger-js/package.json
@@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/logger-js",
-    "version": "1.1.1",
+    "version": "1.1.2",
    "description": "Pino-based logger for authentik",
    "license": "MIT",
    "repository": {
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -7,7 +7,7 @@ requires-python = "==3.14.*"
 dependencies = [
  "ak-guardian==3.2.0",
  "argon2-cffi==25.1.0",
-  "cachetools==7.0.6",
+  "cachetools==7.1.1",
  "channels==4.3.2",
  "cryptography==48.0.0",
  "dacite==1.9.2",
@@ -36,7 +36,7 @@ dependencies = [
  "fido2==2.2.0",
  "geoip2==5.2.0",
  "geopy==2.4.1",
-  "google-api-python-client==2.194.0",
+  "google-api-python-client==2.195.0",
  "gssapi==1.11.1",
  "gunicorn==25.3.0",
  "jsonpatch==1.33",
@@ -47,22 +47,22 @@ dependencies = [
  "msgraph-sdk==1.56.0",
  "opencontainers==0.0.15",
  "packaging==26.2",
-  "paramiko==4.0.0",
+  "paramiko==5.0.0",
  "psycopg[c,pool]==3.3.4",
  "pydantic-scim==0.0.8",
-  "pydantic==2.13.3",
+  "pydantic==2.13.4",
  "pyjwt==2.11.0",
  "pyrad==2.5.4",
-  "python-kadmin-rs==0.7.0",
+  "python-kadmin-rs==0.7.2",
  "pyyaml==6.0.3",
  "requests-oauthlib==2.0.0",
  "scim2-filter-parser==0.7.0",
-  "sentry-sdk==2.58.0",
+  "sentry-sdk==2.59.0",
  "service-identity==24.2.0",
  "setproctitle==1.3.7",
  "structlog==25.5.0",
  "swagger-spec-validator==3.0.4",
-  "twilio==9.10.5",
+  "twilio==9.10.9",
  "ua-parser==1.0.2",
  "unidecode==1.4.0",
  "urllib3<3",
@@ -76,7 +76,7 @@ dependencies = [

 [dependency-groups]
 dev = [
-  "aws-cdk-lib==2.251.0",
+  "aws-cdk-lib==2.252.0",
  "bandit==1.9.4",
  "black==26.3.1",
  "bpython==0.26",
@@ -85,7 +85,7 @@ dev = [
  "coverage[toml]==7.13.5",
  "daphne==4.2.1",
  "debugpy==1.8.20",
-  "django-stubs[compatible-mypy]==6.0.3",
+  "django-stubs[compatible-mypy]==6.0.4",
  "djangorestframework-stubs[compatible-mypy]==3.16.9",
  "drf-jsonschema-serializer==3.0.0",
  "freezegun==1.5.5",
@@ -107,7 +107,7 @@ dev = [
  "types-docker==7.1.0.20260409",
  "types-jwcrypto==1.5.7.20260409",
  "types-ldap3==2.9.13.20260408",
-  "types-requests==2.33.0.20260408",
+  "types-requests==2.33.0.20260503",
  "types-zxcvbn==4.5.0.20260408",
 ]

--- a/schema.yml
+++ b/schema.yml
@@ -5386,6 +5386,8 @@ paths:
        using this object
      tags:
      - endpoints
+      security:
+      - {}
      responses:
        '200':
          content:
@@ -5430,6 +5432,8 @@ paths:
        using this object
      tags:
      - endpoints
+      security:
+      - {}
      responses:
        '200':
          content:
@@ -5453,6 +5457,8 @@ paths:
          application/json:
            schema:
              $ref: '#/components/schemas/DeviceFactsRequest'
+      security:
+      - {}
      responses:
        '204':
          description: Successfully checked in
@@ -5473,6 +5479,8 @@ paths:
            schema:
              $ref: '#/components/schemas/EnrollRequest'
        required: true
+      security:
+      - {}
      responses:
        '200':
          content:
@@ -39078,7 +39086,7 @@ components:
          readOnly: true
          title: ID
        provider:
-          $ref: '#/components/schemas/OAuth2Provider'
+          $ref: '#/components/schemas/Provider'
        user:
          $ref: '#/components/schemas/User'
        is_expired:
@@ -54634,11 +54642,6 @@ components:
        issuer:
          type: string
          description: Also known as Entity ID. Defaults the Metadata URL.
-        url_issuer:
-          type: string
-          description: Get the resolved Issuer, falling back to the metadata URL when
-            unset
-          readOnly: true
        sso_url:
          type: string
          description: URL that the initial Login request is sent to.
@@ -54710,7 +54713,6 @@ components:
      - pre_authentication_flow
      - slug
      - sso_url
-      - url_issuer
      - verbose_name
      - verbose_name_plural
    SAMLSourcePropertyMapping:
@@ -57259,7 +57261,7 @@ components:
          readOnly: true
          title: ID
        provider:
-          $ref: '#/components/schemas/OAuth2Provider'
+          $ref: '#/components/schemas/Provider'
        user:
          $ref: '#/components/schemas/User'
        is_expired:
--- a/src/main.rs
+++ b/src/main.rs
@@ -8,6 +8,8 @@ use eyre::{Result, eyre};
 use tracing::{error, info, trace};

 mod metrics;
+#[cfg(feature = "proxy")]
+mod outpost;
 #[cfg(feature = "core")]
 mod server;
 #[cfg(feature = "core")]
@@ -29,6 +31,8 @@ enum Command {
    Server(server::Cli),
    #[cfg(feature = "core")]
    Worker(worker::Cli),
+    #[cfg(feature = "proxy")]
+    Proxy(outpost::proxy::Cli),
 }

 #[derive(Debug, FromArgs, PartialEq)]
@@ -53,6 +57,8 @@ fn main() -> Result<()> {
        Command::Server(_) => Mode::set(Mode::Server)?,
        #[cfg(feature = "core")]
        Command::Worker(_) => Mode::set(Mode::Worker)?,
+        #[cfg(feature = "proxy")]
+        Command::Proxy(_) => Mode::set(Mode::Proxy)?,
    }

    trace!("installing error formatting");
@@ -108,6 +114,10 @@ fn main() -> Result<()> {
                    let workers = worker::start(args, &mut tasks)?;
                    metrics.workers.store(Some(workers));
                }
+                #[cfg(feature = "proxy")]
+                Command::Proxy(args) => {
+                    outpost::start::<outpost::proxy::ProxyOutpost>(args, &mut tasks).await?;
+                }
            }

            let errors = tasks.run().await;
--- a/src/outpost/event.rs
+++ b/src/outpost/event.rs
@@ -0,0 +1,318 @@
+use std::{fmt::Display, sync::Arc};
+
+use ak_common::{Arbiter, Tasks, VERSION, api, arbiter, authentik_build_hash};
+use axum::http::{HeaderValue, header::AUTHORIZATION};
+use eyre::{Result, eyre};
+use futures::{SinkExt as _, StreamExt as _};
+use nix::unistd::gethostname;
+use serde::{Deserialize, Serialize};
+use serde_repr::{Deserialize_repr, Serialize_repr};
+use time::UtcDateTime;
+use tokio::{
+    signal::unix::SignalKind,
+    time::{Duration, interval, sleep},
+};
+use tokio_tungstenite::tungstenite::{Message, client::IntoClientRequest as _};
+use tracing::{debug, info, instrument, trace, warn};
+use url::Url;
+
+use crate::outpost::{Outpost, OutpostController};
+
+#[derive(Serialize_repr, Deserialize_repr, PartialEq, Debug, Clone, Copy, Eq)]
+#[repr(u8)]
+enum EventKind {
+    /// Code used to acknowledge a previous message.
+    Ack = 0,
+    /// Code used to send a healthcheck keepalive.
+    Hello = 1,
+    /// Code received to trigger a config update.
+    TriggerUpdate = 2,
+    /// Code received to trigger some provider specific function.
+    ProviderSpecific = 3,
+    /// Code received to identify the end of a session.
+    SessionEnd = 4,
+}
+
+impl Display for EventKind {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::Ack => write!(f, "Ack"),
+            Self::Hello => write!(f, "Hello"),
+            Self::TriggerUpdate => write!(f, "TriggerUpdate"),
+            Self::ProviderSpecific => write!(f, "ProviderSpecific"),
+            Self::SessionEnd => write!(f, "SessionEnd"),
+        }
+    }
+}
+
+#[derive(Serialize, Deserialize)]
+struct Event {
+    instruction: EventKind,
+    args: serde_json::Value,
+}
+
+#[derive(Debug, Deserialize)]
+pub(crate) struct EventSessionEnd {
+    session_id: String,
+}
+
+fn build_ws_url(mut url: Url, outpost_pk: &str, instance_uuid: &str, attempt: u32) -> Result<Url> {
+    let ws_scheme = match url.scheme() {
+        "https" => "wss",
+        "http" => "ws",
+        other => return Err(eyre!("Unsupported scheme for WebSocket URL: {other}")),
+    };
+
+    url.set_scheme(ws_scheme)
+        .map_err(|()| eyre!("Failed to set URL scheme to {ws_scheme}"))?;
+    url.set_path(&format!("{}ws/outpost/{outpost_pk}/", url.path()));
+    url.query_pairs_mut()
+        .append_pair("instance_uuid", instance_uuid)
+        .append_pair("attempt", &attempt.to_string());
+
+    Ok(url)
+}
+
+fn hello_args(instance_uuid: &str) -> serde_json::Value {
+    let raw_hostname = gethostname().unwrap_or_default();
+    let hostname = raw_hostname.to_string_lossy();
+
+    serde_json::json!({
+        "version": VERSION,
+        "buildHash": authentik_build_hash(None),
+        "uuid": instance_uuid,
+        // TODO: rust version and AWS-LC versions
+        "hostname": hostname,
+    })
+}
+
+#[instrument(skip_all)]
+async fn handle_event<O: Outpost>(
+    controller: Arc<OutpostController>,
+    outpost: Arc<O>,
+    event: Event,
+    reload_offset: Option<Duration>,
+) -> Result<()> {
+    match event.instruction {
+        EventKind::Ack | EventKind::Hello => {}
+        EventKind::TriggerUpdate => {
+            info!("received update trigger, refreshing outpost");
+            if let Some(reload_offset) = reload_offset {
+                sleep(reload_offset).await;
+            }
+            controller.refresh().await?;
+            debug!("outpost controller has been refreshed");
+            outpost.refresh().await?;
+            debug!("outpost has been refreshed");
+            #[expect(
+                clippy::as_conversions,
+                clippy::cast_precision_loss,
+                reason = "This is fine, we'll never get big values here."
+            )]
+            controller
+                .m_last_update
+                .set(UtcDateTime::now().unix_timestamp() as f64);
+        }
+        EventKind::SessionEnd => {
+            let event: EventSessionEnd = serde_json::from_value(event.args)?;
+            outpost.end_session(event).await?;
+        }
+        #[expect(
+            clippy::unimplemented,
+            reason = "this is only relevant for the RAC provider"
+        )]
+        EventKind::ProviderSpecific => unimplemented!(),
+    }
+    Ok(())
+}
+
+async fn watch_events_inner<O: Outpost>(
+    arbiter: Arbiter,
+    controller: Arc<OutpostController>,
+    outpost: Arc<O>,
+    attempt: u32,
+) -> Result<()> {
+    let server_config = api::ServerConfig::new()?;
+    let ws_url = build_ws_url(
+        server_config.host,
+        &controller.outpost.load().pk.to_string(),
+        &controller.instance_uuid.to_string(),
+        attempt,
+    )?;
+
+    debug!(url = %ws_url, "connecting to websocket");
+    let mut request = ws_url.into_client_request()?;
+    let token = controller
+        .api_config
+        .bearer_access_token
+        .as_deref()
+        .unwrap_or("");
+    request.headers_mut().insert(
+        AUTHORIZATION,
+        HeaderValue::from_str(&format!("Bearer {token}"))?,
+    );
+
+    let (ws_stream, _response) = tokio_tungstenite::connect_async(request).await?;
+    let (mut ws_write, mut ws_read) = ws_stream.split();
+
+    info!(
+        outpost = %controller.outpost.load().pk,
+        "connected to websocket"
+    );
+    controller.m_connection.set(1_u8);
+
+    let get_refresh_interval = || {
+        let mut interval = controller.outpost.load().refresh_interval_s;
+        // Ensure timer interval is not negative or 0.
+        // If it is, we default to 5 minutes.
+        if interval <= 0_i32 {
+            interval = 60_i32 * 5_i32;
+        }
+        // Clamp interval to be at least 30 seconds.
+        if interval < 30_i32 {
+            interval = 30_i32;
+        }
+        // infallible because we bound it to be positive above
+        Duration::from_secs(interval.try_into().expect("infallible"))
+    };
+    let mut refresh_interval = interval(get_refresh_interval());
+    let mut heartbeat_interval = interval(Duration::from_secs(10));
+
+    let mut events_rx = arbiter.events_subscribe();
+
+    loop {
+        tokio::select! {
+            _ = refresh_interval.tick() => {
+                info!("refreshing outpost on interval");
+                if let Err(err) = handle_event(
+                    Arc::clone(&controller),
+                    Arc::clone(&outpost),
+                    Event {
+                        instruction: EventKind::TriggerUpdate,
+                        args: serde_json::Value::Null
+                    },
+                    None,
+                ).await {
+                    warn!(?err, "failed to refresh");
+                }
+                refresh_interval = interval(get_refresh_interval());
+                // Since we re-create the interval, we need to make it tick instantly to avoid
+                // ending up in a never-ending tick-loop.
+                refresh_interval.tick().await;
+            },
+            _ = heartbeat_interval.tick() => {
+                let ping = Event {
+                    instruction: EventKind::Hello,
+                    args: hello_args(&controller.instance_uuid.to_string()),
+                };
+                ws_write.send(Message::text(serde_json::to_string(&ping)?)).await?;
+                trace!("sent websocket hello (heartbeat)");
+            },
+            Ok(arbiter::Event::Signal(signal)) = events_rx.recv() => {
+                if signal == SignalKind::user_defined1() {
+                    info!("refreshing outpost on signal");
+                    if let Err(err) = handle_event(
+                        Arc::clone(&controller),
+                        Arc::clone(&outpost),
+                        Event {
+                            instruction: EventKind::TriggerUpdate,
+                            args: serde_json::Value::Null
+                        },
+                        None,
+                    ).await {
+                        warn!(?err, "failed to refresh");
+                    }
+                }
+            },
+            msg = ws_read.next() => {
+                let Some(msg) = msg else {
+                    break;
+                };
+                let msg = msg?;
+                match msg {
+                    Message::Text(text) => {
+                        let Ok(event): Result<Event, _> = serde_json::from_str(&text) else {
+                            warn!(data = text.as_str(), "failed to parse event");
+                            continue;
+                        };
+                        trace!(event = %event.instruction, "received websocket event");
+                        if let Err(err) = handle_event(
+                            Arc::clone(&controller),
+                            Arc::clone(&outpost),
+                            event,
+                            Some(controller.reload_offset),
+                        ).await {
+                            warn!(?err, "failed to handle event");
+                        }
+                    },
+                    Message::Ping(data) => {
+                        ws_write.send(Message::Pong(data)).await?;
+                    },
+                    Message::Close(_) => {
+                        break;
+                    },
+                    _ => {},
+                }
+            },
+            () = arbiter.shutdown() => break,
+        }
+    }
+
+    Ok(())
+}
+
+async fn watch_events<O: Outpost>(
+    arbiter: Arbiter,
+    controller: Arc<OutpostController>,
+    outpost: Arc<O>,
+) -> Result<()> {
+    const MAX_BACKOFF: Duration = Duration::from_mins(5);
+    let mut backoff = Duration::from_secs(1);
+    let mut attempt: u32 = 0;
+
+    loop {
+        tokio::select! {
+            () = arbiter.shutdown() => break,
+            res = watch_events_inner(
+                arbiter.clone(),
+                Arc::clone(&controller),
+                Arc::clone(&outpost),
+                attempt
+            ) => {
+                controller.m_connection.set(0_u8);
+                match res {
+                    Ok(()) => debug!("websocket disconnected cleanly"),
+                    Err(err) => warn!(?err, attempt, "websocket error"),
+                }
+
+                info!(attempt, delay = backoff.as_secs(), "reconnecting websocket in {}s...", backoff.as_secs());
+
+                tokio::select! {
+                    () = arbiter.shutdown() => break,
+                    () = sleep(backoff) => {}
+                }
+
+                backoff = (backoff * 2).min(MAX_BACKOFF);
+                attempt += 1;
+            }
+        }
+    }
+
+    info!("stopping event watcher");
+
+    Ok(())
+}
+
+pub(crate) fn start<O: Outpost + 'static>(
+    tasks: &mut Tasks,
+    controller: Arc<OutpostController>,
+    outpost: Arc<O>,
+) -> Result<()> {
+    let arbiter = tasks.arbiter();
+    tasks
+        .build_task()
+        .name(&format!("{}::watch_events", module_path!()))
+        .spawn(watch_events(arbiter, controller, outpost))?;
+
+    Ok(())
+}
--- a/src/outpost/mod.rs
+++ b/src/outpost/mod.rs
@@ -0,0 +1,123 @@
+use std::{sync::Arc, time::Duration};
+
+use ak_client::{
+    apis::{configuration::Configuration, outposts_api::outposts_instances_list},
+    models::Outpost as OutpostModel,
+};
+use ak_common::{Tasks, VERSION, api, authentik_build_hash};
+use arc_swap::ArcSwap;
+use eyre::{Result, eyre};
+use tracing::{debug, info, instrument};
+use uuid::Uuid;
+
+pub(crate) mod event;
+#[cfg(feature = "proxy")]
+pub(crate) mod proxy;
+
+pub(crate) trait Outpost: Send + Sync + Sized {
+    const OUTPOST_TYPE: &'static str;
+    type Cli: Send + Sync;
+
+    async fn new(controller: Arc<OutpostController>) -> Result<Self>;
+
+    fn start(self: Arc<Self>, tasks: &mut Tasks) -> Result<()>;
+    fn refresh(&self) -> impl Future<Output = Result<()>> + Send;
+
+    fn end_session(&self, event: event::EventSessionEnd)
+    -> impl Future<Output = Result<()>> + Send;
+}
+
+#[derive(Debug)]
+pub(crate) struct OutpostController {
+    api_config: Configuration,
+    outpost: ArcSwap<OutpostModel>,
+    instance_uuid: Uuid,
+    reload_offset: Duration,
+    m_info: metrics::Gauge,
+    m_last_update: metrics::Gauge,
+    m_connection: metrics::Gauge,
+}
+
+impl OutpostController {
+    #[instrument(skip_all)]
+    async fn get_outpost(api_config: &Configuration) -> Result<OutpostModel> {
+        let outposts = outposts_instances_list(
+            api_config, None, None, None, None, None, None, None, None, None, None, None, None,
+        )
+        .await?;
+
+        let Some(outpost) = outposts.results.into_iter().next() else {
+            return Err(eyre!(
+                "No outposts found with given token, ensure the given token corresponds to an \
+                 authentik Outpost"
+            ));
+        };
+        debug!(name = outpost.name, "fetched outpost configuration");
+
+        Ok(outpost)
+    }
+
+    #[instrument(skip_all)]
+    async fn new<O: Outpost>() -> Result<Self> {
+        let api_config = api::make_config()?;
+        let outpost = Self::get_outpost(&api_config).await?;
+        let instance_uuid = Uuid::new_v4();
+
+        let m_labels = [
+            ("outpost_name", outpost.name.clone()),
+            ("outpost_type", O::OUTPOST_TYPE.to_owned()),
+            ("uuid", instance_uuid.to_string()),
+            ("version", VERSION.to_owned()),
+            ("build", authentik_build_hash(None)),
+        ];
+        metrics::describe_gauge!("authentik_outpost_info", "Outpost info");
+        let m_info = metrics::gauge!("authentik_outpost_info", &m_labels);
+        metrics::describe_gauge!("authentik_outpost_last_update", "Time of last update");
+        let m_last_update = metrics::gauge!("authentik_outpost_last_update", &m_labels);
+        metrics::describe_gauge!("authentik_outpost_connection", "Connection status");
+        let m_connection = metrics::gauge!("authentik_outpost_connection", &m_labels);
+
+        let reload_offset = Duration::from_secs(rand::random_range(0..10));
+        let controller = Self {
+            api_config,
+            outpost: ArcSwap::from_pointee(outpost),
+            instance_uuid,
+            reload_offset,
+            m_info,
+            m_last_update,
+            m_connection,
+        };
+
+        info!(embedded = controller.is_embedded(), "outpost mode");
+        debug!(?reload_offset, "HA Reload offset");
+
+        Ok(controller)
+    }
+
+    fn is_embedded(&self) -> bool {
+        self.outpost
+            .load()
+            .managed
+            .as_ref()
+            .and_then(|m| m.as_deref())
+            .is_some_and(|m| m == "goauthentik.io/outposts/embedded")
+    }
+
+    async fn refresh(&self) -> Result<()> {
+        let outpost = Self::get_outpost(&self.api_config).await?;
+        self.outpost.swap(Arc::new(outpost));
+        Ok(())
+    }
+}
+
+#[instrument(skip_all)]
+pub(crate) async fn start<O: Outpost + 'static>(_cli: O::Cli, tasks: &mut Tasks) -> Result<()> {
+    let controller = Arc::new(OutpostController::new::<O>().await?);
+    let outpost = Arc::new(O::new(Arc::clone(&controller)).await?);
+
+    event::start(tasks, Arc::clone(&controller), Arc::clone(&outpost))?;
+    outpost.start(tasks)?;
+    controller.m_info.set(1_u8);
+
+    Ok(())
+}
--- a/src/outpost/proxy/application.rs
+++ b/src/outpost/proxy/application.rs
@@ -0,0 +1,61 @@
+use std::sync::Arc;
+
+use ak_client::models::ProxyOutpostConfig;
+use ak_common::tls::store::Certificate;
+use axum::Router;
+use eyre::{Result, eyre};
+use tracing::instrument;
+use url::Url;
+
+use crate::outpost::proxy::ProxyOutpost;
+
+const _REDIRECT_PARAM: &str = "rd";
+const CALLBACK_SIGNATURE: &str = "X-authentik-auth-callback";
+const _LOGOUT_SIGNATURE: &str = "X-authentik-logout";
+
+#[derive(Debug)]
+pub(super) struct Application {
+    pub(super) host: String,
+    pub(super) provider: ProxyOutpostConfig,
+    pub(super) router: Router,
+    pub(super) cert: Option<Arc<Certificate>>,
+}
+
+impl Application {
+    #[instrument(skip_all)]
+    pub(super) async fn new(outpost: &ProxyOutpost, provider: ProxyOutpostConfig) -> Result<Self> {
+        let external_url = Url::parse(&provider.external_host)?;
+        if !external_url.has_authority() {
+            return Err(eyre!("no host in external host"));
+        }
+        let external_host = external_url.authority();
+
+        let _old_app = outpost.apps.load().get(external_host);
+
+        let cert = if let Some(Some(kp_uuid)) = provider.certificate {
+            Some(
+                outpost
+                    .certificate_store
+                    .ensure_keypair(&outpost.controller.api_config, kp_uuid)
+                    .await?,
+            )
+        } else {
+            None
+        };
+
+        let _redirect_url = {
+            let mut redirect_url = external_url.join("outpost.goauthentik.io/callback")?;
+            redirect_url.set_query(Some(&format!("{CALLBACK_SIGNATURE}=true")));
+            redirect_url
+        };
+
+        let router = Router::new();
+
+        Ok(Self {
+            host: external_host.to_owned(),
+            provider,
+            router,
+            cert,
+        })
+    }
+}
--- a/src/outpost/proxy/handlers.rs
+++ b/src/outpost/proxy/handlers.rs
@@ -0,0 +1,87 @@
+use std::sync::Arc;
+
+use ak_axum::{error::Result, extract::host::Host};
+use axum::{
+    extract::{Request, State},
+    http::{Method, StatusCode, header::CONTENT_TYPE},
+    response::{IntoResponse as _, Response},
+};
+use metrics::histogram;
+use serde_json::json;
+use tokio::time::Instant;
+use tower::util::ServiceExt as _;
+use tracing::{Instrument as _, debug, field, info_span, instrument, trace, warn};
+
+use crate::outpost::proxy::ProxyOutpost;
+
+#[instrument(skip_all)]
+pub(super) async fn handle_ping(
+    method: Method,
+    Host(host): Host,
+    State(outpost): State<Arc<ProxyOutpost>>,
+) -> Response {
+    let start = Instant::now();
+    histogram!(
+        "authentik_outpost_proxy_request_duration_seconds",
+        "outpost_name" => outpost.controller.outpost.load().name.clone(),
+        "method" => method.to_string(),
+        "host" => host,
+        "type" => "ping",
+    )
+    .record(start.elapsed().as_secs_f64());
+    StatusCode::NO_CONTENT.into_response()
+}
+
+#[instrument(skip_all)]
+pub(super) async fn default(
+    method: Method,
+    Host(host): Host,
+    State(outpost): State<Arc<ProxyOutpost>>,
+    request: Request,
+) -> Result<Response> {
+    let span = info_span!("proxy outpost request", user = field::Empty);
+    let start = Instant::now();
+
+    let app = outpost.lookup_app(&host).or_else(|| {
+        // If we only have a single app, host name switching doesn't matter.
+        let apps = outpost.apps.load();
+        if apps.len() == 1
+            && let Some(app) = apps.values().next()
+        {
+            debug!(app = app.provider.name, "found a single app, using it");
+            return Some(Arc::clone(app));
+        }
+        None
+    });
+    let Some(app) = app else {
+        trace!(headers = ?request.headers(), "tracing headers for no hostname match");
+        warn!("no app for hostname");
+        return Ok(Response::builder()
+            .status(StatusCode::BAD_REQUEST)
+            .header(CONTENT_TYPE, "application/json")
+            .body(
+                json!({
+                    "message": "no app for hostname",
+                    "host": host,
+                    "detail": format!("check the outpost settings and make sure '{host}' is included."),
+                })
+                .to_string()
+                .into(),
+            )
+            .expect("infallible"));
+    };
+
+    trace!("passing to application");
+    let response = app.router.clone().oneshot(request).instrument(span).await?;
+
+    histogram!(
+        "authentik_outpost_proxy_request_duration_seconds",
+        "outpost_name" => outpost.controller.outpost.load().name.clone(),
+        "method" => method.to_string(),
+        "host" => host,
+        "type" => "app",
+    )
+    .record(start.elapsed().as_secs_f64());
+
+    Ok(response)
+}
--- a/src/outpost/proxy/mod.rs
+++ b/src/outpost/proxy/mod.rs
@@ -0,0 +1,231 @@
+use std::{collections::HashMap, sync::Arc};
+
+use ak_axum::router::wrap_router;
+use ak_client::{apis::outposts_api::outposts_proxy_list, models::ProxyMode};
+use ak_common::{
+    Tasks,
+    api::fetch_all,
+    config,
+    tls::{self, store::CertificateStore},
+};
+use arc_swap::ArcSwap;
+use argh::FromArgs;
+use axum::Router;
+use axum_server::tls_rustls::RustlsConfig;
+use eyre::Result;
+use rustls::{
+    ServerConfig,
+    server::{ClientHello, ResolvesServerCert},
+    sign::CertifiedKey,
+};
+use tracing::{debug, error, info, instrument, warn};
+
+use crate::outpost::{Outpost, OutpostController, proxy::application::Application};
+
+mod application;
+mod handlers;
+
+#[derive(Debug, Default, FromArgs, PartialEq, Eq)]
+/// Run the authentik proxy outpost.
+#[argh(subcommand, name = "proxy")]
+#[expect(
+    clippy::empty_structs_with_brackets,
+    reason = "argh doesn't support unit structs"
+)]
+pub(crate) struct Cli {}
+
+#[derive(Debug)]
+pub(crate) struct ProxyOutpost {
+    controller: Arc<OutpostController>,
+    apps: ArcSwap<HashMap<String, Arc<Application>>>,
+    certificate_store: CertificateStore,
+    default_cert: Arc<CertifiedKey>,
+}
+
+impl Outpost for ProxyOutpost {
+    type Cli = Cli;
+
+    const OUTPOST_TYPE: &'static str = "proxy";
+
+    #[instrument(skip_all)]
+    async fn new(controller: Arc<OutpostController>) -> Result<Self> {
+        Ok(Self {
+            controller,
+            apps: ArcSwap::from_pointee(HashMap::with_capacity(0)),
+            certificate_store: CertificateStore::new(),
+            default_cert: Arc::new(tls::self_signed::generate_certifiedkey()?),
+        })
+    }
+
+    fn start(self: Arc<Self>, tasks: &mut Tasks) -> Result<()> {
+        let router = build_router(Arc::clone(&self));
+
+        for addr in config::get().listen.http.iter().copied() {
+            ak_axum::server::start_plain(tasks, "proxy-outpost", router.clone(), addr)?;
+        }
+
+        for addr in config::get().listen.https.iter().copied() {
+            let resolver = Arc::clone(&self);
+            let server_config = ServerConfig::builder()
+                .with_no_client_auth()
+                .with_cert_resolver(resolver);
+            let rustls_config = RustlsConfig::from_config(Arc::new(server_config));
+            ak_axum::server::start_tls(
+                tasks,
+                "proxy-outpost",
+                router.clone(),
+                addr,
+                rustls_config,
+            )?;
+        }
+
+        Ok(())
+    }
+
+    #[instrument(skip_all)]
+    async fn refresh(&self) -> Result<()> {
+        debug!(
+            outpost_pk = %self.controller.outpost.load().pk,
+            "requesting providers for outpost"
+        );
+
+        let providers = fetch_all(
+            |page| {
+                outposts_proxy_list(
+                    &self.controller.api_config,
+                    None,
+                    None,
+                    Some(page),
+                    Some(100_i32),
+                    None,
+                )
+            },
+            |r| &r.pagination,
+            |r| r.results,
+        )
+        .await
+        .inspect_err(|err| error!(?err, "failed to fetch providers"))?;
+        debug!(count = providers.len(), "fetched providers");
+
+        if providers.is_empty() && !self.controller.is_embedded() {
+            warn!(
+                "no providers assigned to this outpost, check outpost configuration in authentik"
+            );
+        }
+
+        for (i, provider) in providers.iter().enumerate() {
+            debug!(
+                index = i,
+                name = provider.name,
+                external_host = provider.external_host,
+                assigned_to_app = provider.assigned_application_name,
+                "provider details"
+            );
+        }
+
+        let mut apps = HashMap::with_capacity(providers.len());
+
+        for provider in providers {
+            let name = provider.name.clone();
+            let Ok(application) = Application::new(self, provider)
+                .await
+                .inspect_err(|err| warn!(?err, "failed to setup application, skipping provider"))
+            else {
+                continue;
+            };
+            info!(name, host = application.host, "loaded application");
+
+            apps.insert(application.host.clone(), Arc::new(application));
+        }
+
+        self.apps.store(Arc::new(apps));
+
+        Ok(())
+    }
+
+    async fn end_session(&self, _event: super::event::EventSessionEnd) -> Result<()> {
+        // todo!()
+        warn!(?_event, "removing session");
+        Ok(())
+    }
+}
+
+impl ResolvesServerCert for ProxyOutpost {
+    fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
+        if let Some(server_name) = client_hello.server_name()
+            && let Some(app) = self.apps.load().get(server_name)
+            && let Some(cert) = &app.cert
+        {
+            return Some(Arc::clone(&cert.certified_key));
+        }
+        Some(Arc::clone(&self.default_cert))
+    }
+
+    fn only_raw_public_keys(&self) -> bool {
+        false
+    }
+}
+
+impl ProxyOutpost {
+    #[instrument(skip(self))]
+    fn lookup_app(&self, host: &str) -> Option<Arc<Application>> {
+        let apps = self.apps.load();
+
+        if apps.is_empty() {
+            return None;
+        }
+
+        if let Some(app) = apps.get(host) {
+            debug!(app = app.provider.name, "found app based direct host match");
+            return Some(Arc::clone(app));
+        }
+
+        // For forward_auth_domain, we don't have a direct app to domain relationship.
+        // Check through all apps, and check how much of their cookie domain matches the host.
+        // Return the application that has the longest match.
+        let mut longest_match = None;
+        let mut longest_len = 0_usize;
+
+        for app in apps.values() {
+            if app.provider.mode != Some(ProxyMode::ForwardDomain) {
+                continue;
+            }
+
+            if let Some(cookie_domain) = app.provider.cookie_domain.as_deref() {
+                // Check if the cookie domain has a leading period for a wildcard.
+                // This will decrease the weight of a wildcard domain, but a request to example.com
+                // with the cookie domain set to example.com will still be routed correctly.
+                let domain = cookie_domain.trim_start_matches('.');
+
+                if host.ends_with(domain) && domain.len() > longest_len {
+                    longest_len = domain.len();
+                    longest_match = Some(Arc::clone(app));
+                }
+                // For forward_auth_domain, we need to response on the external domain too.
+                if app.provider.external_host == host {
+                    debug!(app = app.provider.name, "found app based on external_host");
+                    return Some(Arc::clone(app));
+                }
+            }
+        }
+
+        if let Some(app) = &longest_match {
+            debug!(app = app.provider.name, "found app based on cookie domain");
+        }
+
+        longest_match
+    }
+}
+
+fn build_router(outpost: Arc<ProxyOutpost>) -> Router {
+    wrap_router(
+        Router::new()
+            .nest(
+                "/outpost.goauthentik.io/ping",
+                Router::new().fallback(handlers::handle_ping),
+            )
+            .fallback(handlers::default)
+            .with_state(outpost),
+        true,
+    )
+}
--- a/uv.lock
+++ b/uv.lock
@@ -316,7 +316,7 @@ dev = [
 requires-dist = [
    { name = "ak-guardian", editable = "packages/ak-guardian" },
    { name = "argon2-cffi", specifier = "==25.1.0" },
-    { name = "cachetools", specifier = "==7.0.6" },
+    { name = "cachetools", specifier = "==7.1.1" },
    { name = "channels", specifier = "==4.3.2" },
    { name = "cryptography", specifier = "==48.0.0" },
    { name = "dacite", specifier = "==1.9.2" },
@@ -345,7 +345,7 @@ requires-dist = [
    { name = "fido2", specifier = "==2.2.0" },
    { name = "geoip2", specifier = "==5.2.0" },
    { name = "geopy", specifier = "==2.4.1" },
-    { name = "google-api-python-client", specifier = "==2.194.0" },
+    { name = "google-api-python-client", specifier = "==2.195.0" },
    { name = "gssapi", specifier = "==1.11.1" },
    { name = "gunicorn", specifier = "==25.3.0" },
    { name = "jsonpatch", specifier = "==1.33" },
@@ -356,22 +356,22 @@ requires-dist = [
    { name = "msgraph-sdk", specifier = "==1.56.0" },
    { name = "opencontainers", git = "https://github.com/vsoch/oci-python?rev=ceb4fcc090851717a3069d78e85ceb1e86c2740c" },
    { name = "packaging", specifier = "==26.2" },
-    { name = "paramiko", specifier = "==4.0.0" },
+    { name = "paramiko", specifier = "==5.0.0" },
    { name = "psycopg", extras = ["c", "pool"], specifier = "==3.3.4" },
-    { name = "pydantic", specifier = "==2.13.3" },
+    { name = "pydantic", specifier = "==2.13.4" },
    { name = "pydantic-scim", specifier = "==0.0.8" },
    { name = "pyjwt", specifier = "==2.11.0" },
    { name = "pyrad", specifier = "==2.5.4" },
-    { name = "python-kadmin-rs", specifier = "==0.7.0" },
+    { name = "python-kadmin-rs", specifier = "==0.7.2" },
    { name = "pyyaml", specifier = "==6.0.3" },
    { name = "requests-oauthlib", specifier = "==2.0.0" },
    { name = "scim2-filter-parser", specifier = "==0.7.0" },
-    { name = "sentry-sdk", specifier = "==2.58.0" },
+    { name = "sentry-sdk", specifier = "==2.59.0" },
    { name = "service-identity", specifier = "==24.2.0" },
    { name = "setproctitle", specifier = "==1.3.7" },
    { name = "structlog", specifier = "==25.5.0" },
    { name = "swagger-spec-validator", specifier = "==3.0.4" },
-    { name = "twilio", specifier = "==9.10.5" },
+    { name = "twilio", specifier = "==9.10.9" },
    { name = "ua-parser", specifier = "==1.0.2" },
    { name = "unidecode", specifier = "==1.4.0" },
    { name = "urllib3", specifier = "<3" },
@@ -385,7 +385,7 @@ requires-dist = [

 [package.metadata.requires-dev]
 dev = [
-    { name = "aws-cdk-lib", specifier = "==2.251.0" },
+    { name = "aws-cdk-lib", specifier = "==2.252.0" },
    { name = "bandit", specifier = "==1.9.4" },
    { name = "black", specifier = "==26.3.1" },
    { name = "bpython", specifier = "==0.26" },
@@ -394,7 +394,7 @@ dev = [
    { name = "coverage", extras = ["toml"], specifier = "==7.13.5" },
    { name = "daphne", specifier = "==4.2.1" },
    { name = "debugpy", specifier = "==1.8.20" },
-    { name = "django-stubs", extras = ["compatible-mypy"], specifier = "==6.0.3" },
+    { name = "django-stubs", extras = ["compatible-mypy"], specifier = "==6.0.4" },
    { name = "djangorestframework-stubs", extras = ["compatible-mypy"], specifier = "==3.16.9" },
    { name = "drf-jsonschema-serializer", specifier = "==3.0.0" },
    { name = "freezegun", specifier = "==1.5.5" },
@@ -416,7 +416,7 @@ dev = [
    { name = "types-docker", specifier = "==7.1.0.20260409" },
    { name = "types-jwcrypto", specifier = "==1.5.7.20260409" },
    { name = "types-ldap3", specifier = "==2.9.13.20260408" },
-    { name = "types-requests", specifier = "==2.33.0.20260408" },
+    { name = "types-requests", specifier = "==2.33.0.20260503" },
    { name = "types-zxcvbn", specifier = "==4.5.0.20260408" },
 ]

@@ -495,7 +495,7 @@ wheels = [

 [[package]]
 name = "aws-cdk-lib"
-version = "2.251.0"
+version = "2.252.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "aws-cdk-asset-awscli-v1" },
@@ -506,9 +506,9 @@ dependencies = [
    { name = "publication" },
    { name = "typeguard" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b8/6c/d60d96e1848aabf1882e6a1d30a27de4a592affc9437d6918848f0e06497/aws_cdk_lib-2.251.0.tar.gz", hash = "sha256:ed69e7ea6896c62ac2ce01857083601baf541d5d875370bee6d213d641e8921e", size = 49353237, upload-time = "2026-04-24T23:21:04.805Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/0b/2e/468ed756570af782831bc0518b4f187773b036342ce1b6f3d4e13e6127d8/aws_cdk_lib-2.252.0.tar.gz", hash = "sha256:2498d771ab141599c48494bd2564ee9a4fbaade54befa9356811e9454616d0a0", size = 49479070, upload-time = "2026-04-30T12:31:54.452Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/d2/fb/ab682b518e3ca5d18b23b252832e0fade4e6617a2c0f2b0ae0d8d2e74312/aws_cdk_lib-2.251.0-py3-none-any.whl", hash = "sha256:a684f3461d096443ac688adbf559abe1af2d50dd5c8e0fa7dbf4a5f361702db8", size = 50035969, upload-time = "2026-04-24T23:20:18.952Z" },
+    { url = "https://files.pythonhosted.org/packages/ae/94/32c21ad93dc21554286955fd5ebc68cb91149cc5f7f3154b07927c3fc693/aws_cdk_lib-2.252.0-py3-none-any.whl", hash = "sha256:c96d02582d344ee81ea2ef8a5e22b6e680789973804720ec9f0e95a050257db1", size = 50157828, upload-time = "2026-04-30T12:31:11.041Z" },
 ]

 [[package]]
@@ -688,11 +688,11 @@ wheels = [

 [[package]]
 name = "cachetools"
-version = "7.0.6"
+version = "7.1.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/76/7b/1755ed2c6bfabd1d98b37ae73152f8dcf94aa40fee119d163c19ed484704/cachetools-7.0.6.tar.gz", hash = "sha256:e5d524d36d65703a87243a26ff08ad84f73352adbeafb1cde81e207b456aaf24", size = 37526, upload-time = "2026-04-20T19:02:23.289Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/ff/e2/85f227594656000ff4d8adadae91a21f536d4a84c6c716a86bd6685874be/cachetools-7.1.1.tar.gz", hash = "sha256:27bdf856d68fd3c71c26c01b5edc312124ed427524d1ddb31aa2b7746fe20d4b", size = 40202, upload-time = "2026-05-03T20:00:29.391Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/fe/c4/cf76242a5da1410917107ff14551764aa405a5fd10cd10cf9a5ca8fa77f4/cachetools-7.0.6-py3-none-any.whl", hash = "sha256:4e94956cfdd3086f12042cdd29318f5ced3893014f7d0d059bf3ead3f85b7f8b", size = 13976, upload-time = "2026-04-20T19:02:21.187Z" },
+    { url = "https://files.pythonhosted.org/packages/bf/0f/f897abe4ea0a8c408ae65c8c83bffab4936ad65d6032d4fb4cd35bbdc3ee/cachetools-7.1.1-py3-none-any.whl", hash = "sha256:0335cd7a0952d2b22327441fb0628139e234c565559eeb91a8a4ac7551c5353d", size = 16775, upload-time = "2026-05-03T20:00:27.857Z" },
 ]

 [[package]]
@@ -1269,7 +1269,7 @@ s3 = [

 [[package]]
 name = "django-stubs"
-version = "6.0.3"
+version = "6.0.4"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "django" },
@@ -1277,9 +1277,9 @@ dependencies = [
    { name = "types-pyyaml" },
    { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/86/0c/8d0d875af79bf774c1c3997c84aa118dba3a77be12086b9c14e130e8ec72/django_stubs-6.0.3.tar.gz", hash = "sha256:ee895f403c373608eeb50822f0733f9d9ec5ab12731d4ab58956053bb95fdd9e", size = 278214, upload-time = "2026-04-18T15:11:22.327Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/f9/82/ccf2a2dc9cdb4bd9cbe91f11e887589bf2da7609506db00ccbc73bd8a6da/django_stubs-6.0.4.tar.gz", hash = "sha256:7aee77e8de9c14c0d9cf84988befe826d93cbc15a87e0ade2943f14d553451cf", size = 280019, upload-time = "2026-05-09T21:24:30.436Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/80/a3/6751b7684d20fc4f228bdd3dd8341d382ab3faaf65d3d050c0d59ab0a1b0/django_stubs-6.0.3-py3-none-any.whl", hash = "sha256:5fee22bcbbad59a78c727a820b6f4e68ff442ca76a922b7002e57c25dd7cb390", size = 541570, upload-time = "2026-04-18T15:11:20.711Z" },
+    { url = "https://files.pythonhosted.org/packages/ba/e7/5128914ada94dd6277626ef5a4a5680a4def7d2f9366214d26c1cd86723b/django_stubs-6.0.4-py3-none-any.whl", hash = "sha256:e991c68f77239663577a5f4fc75e99c84f867f378cafc97cbf4acc5aff378279", size = 543791, upload-time = "2026-05-09T21:24:28.218Z" },
 ]

 [package.optional-dependencies]
@@ -1597,7 +1597,7 @@ wheels = [

 [[package]]
 name = "google-api-python-client"
-version = "2.194.0"
+version = "2.195.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "google-api-core" },
@@ -1606,9 +1606,9 @@ dependencies = [
    { name = "httplib2" },
    { name = "uritemplate" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/60/ab/e83af0eb043e4ccc49571ca7a6a49984e9d00f4e9e6e6f1238d60bc84dce/google_api_python_client-2.194.0.tar.gz", hash = "sha256:db92647bd1a90f40b79c9618461553c2b20b6a43ce7395fa6de07132dc14f023", size = 14443469, upload-time = "2026-04-08T23:07:35.757Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/69/07/08d759b9cb10f48af14b25262dd0d6685ca8cda6c1f9e8a8109f57457205/google_api_python_client-2.195.0.tar.gz", hash = "sha256:c72cf2661c3addf01c880ce60541e83e1df354644b874f7f9d8d5ed2070446ae", size = 14584819, upload-time = "2026-04-30T21:51:50.638Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/b0/34/5a624e49f179aa5b0cb87b2ce8093960299030ff40423bfbde09360eb908/google_api_python_client-2.194.0-py3-none-any.whl", hash = "sha256:61eaaac3b8fc8fdf11c08af87abc3d1342d1b37319cc1b57405f86ef7697e717", size = 15016514, upload-time = "2026-04-08T23:07:33.093Z" },
+    { url = "https://files.pythonhosted.org/packages/21/b9/2c71095e31fff57668fec7c07ac897df065f15521d070e63229e13689590/google_api_python_client-2.195.0-py3-none-any.whl", hash = "sha256:753e62057f23049a89534bea0162b60fe391b85fb86d80bcdf884d05ec91c5bf", size = 15162418, upload-time = "2026-04-30T21:51:47.444Z" },
 ]

 [[package]]
@@ -2589,7 +2589,7 @@ wheels = [

 [[package]]
 name = "paramiko"
-version = "4.0.0"
+version = "5.0.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "bcrypt" },
@@ -2597,9 +2597,9 @@ dependencies = [
    { name = "invoke" },
    { name = "pynacl" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/1f/e7/81fdcbc7f190cdb058cffc9431587eb289833bdd633e2002455ca9bb13d4/paramiko-4.0.0.tar.gz", hash = "sha256:6a25f07b380cc9c9a88d2b920ad37167ac4667f8d9886ccebd8f90f654b5d69f", size = 1630743, upload-time = "2025-08-04T01:02:03.711Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/62/93/dcc25d52f49022ae6175d15e6bd751f1acc99b98bc61fc55e5155a7be2e7/paramiko-5.0.0.tar.gz", hash = "sha256:36763b5b95c2a0dcfdf1abc48e48156ee425b21efe2f0e787c2dd5a95c0e5e79", size = 1548586, upload-time = "2026-05-09T18:28:52.256Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/a9/90/a744336f5af32c433bd09af7854599682a383b37cfd78f7de263de6ad6cb/paramiko-4.0.0-py3-none-any.whl", hash = "sha256:0e20e00ac666503bf0b4eda3b6d833465a2b7aff2e2b3d79a8bba5ef144ee3b9", size = 223932, upload-time = "2025-08-04T01:02:02.029Z" },
+    { url = "https://files.pythonhosted.org/packages/82/5b/eadf6d45de38d30ab603f49393b6cd2cbe7e233af8cf90197e32782b68a9/paramiko-5.0.0-py3-none-any.whl", hash = "sha256:b7044611c30140d9a75261653210e2002977b71a0497ff3ba0d98d7edbf62f7c", size = 208919, upload-time = "2026-05-09T18:28:50.295Z" },
 ]

 [[package]]
@@ -2813,7 +2813,7 @@ wheels = [

 [[package]]
 name = "pydantic"
-version = "2.13.3"
+version = "2.13.4"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "annotated-types" },
@@ -2821,9 +2821,9 @@ dependencies = [
    { name = "typing-extensions" },
    { name = "typing-inspection" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/d9/e4/40d09941a2cebcb20609b86a559817d5b9291c49dd6f8c87e5feffbe703a/pydantic-2.13.3.tar.gz", hash = "sha256:af09e9d1d09f4e7fe37145c1f577e1d61ceb9a41924bf0094a36506285d0a84d", size = 844068, upload-time = "2026-04-20T14:46:43.632Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/18/a5/b60d21ac674192f8ab0ba4e9fd860690f9b4a6e51ca5df118733b487d8d6/pydantic-2.13.4.tar.gz", hash = "sha256:c40756b57adaa8b1efeeced5c196f3f3b7c435f90e84ea7f443901bec8099ef6", size = 844775, upload-time = "2026-05-06T13:43:05.343Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/f3/0a/fd7d723f8f8153418fb40cf9c940e82004fce7e987026b08a68a36dd3fe7/pydantic-2.13.3-py3-none-any.whl", hash = "sha256:6db14ac8dfc9a1e57f87ea2c0de670c251240f43cb0c30a5130e9720dc612927", size = 471981, upload-time = "2026-04-20T14:46:41.402Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/7b/122376b1fd3c62c1ed9dc80c931ace4844b3c55407b6fb2d199377c9736f/pydantic-2.13.4-py3-none-any.whl", hash = "sha256:45a282cde31d808236fd7ea9d919b128653c8b38b393d1c4ab335c62924d9aba", size = 472262, upload-time = "2026-05-06T13:43:02.641Z" },
 ]

 [package.optional-dependencies]
@@ -2833,43 +2833,43 @@ email = [

 [[package]]
 name = "pydantic-core"
-version = "2.46.3"
+version = "2.46.4"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/2a/ef/f7abb56c49382a246fd2ce9c799691e3c3e7175ec74b14d99e798bcddb1a/pydantic_core-2.46.3.tar.gz", hash = "sha256:41c178f65b8c29807239d47e6050262eb6bf84eb695e41101e62e38df4a5bc2c", size = 471412, upload-time = "2026-04-20T14:40:56.672Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/9d/56/921726b776ace8d8f5db44c4ef961006580d91dc52b803c489fafd1aa249/pydantic_core-2.46.4.tar.gz", hash = "sha256:62f875393d7f270851f20523dd2e29f082bcc82292d66db2b64ea71f64b6e1c1", size = 471464, upload-time = "2026-05-06T13:37:06.98Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7f/db/a7bcb4940183fda36022cd18ba8dd12f2dff40740ec7b58ce7457befa416/pydantic_core-2.46.3-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:afa3aa644f74e290cdede48a7b0bee37d1c35e71b05105f6b340d484af536d9b", size = 2097614, upload-time = "2026-04-20T14:44:38.374Z" },
-    { url = "https://files.pythonhosted.org/packages/24/35/e4066358a22e3e99519db370494c7528f5a2aa1367370e80e27e20283543/pydantic_core-2.46.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:ced3310e51aa425f7f77da8bbbb5212616655bedbe82c70944320bc1dbe5e018", size = 1951896, upload-time = "2026-04-20T14:40:53.996Z" },
-    { url = "https://files.pythonhosted.org/packages/87/92/37cf4049d1636996e4b888c05a501f40a43ff218983a551d57f9d5e14f0d/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e29908922ce9da1a30b4da490bd1d3d82c01dcfdf864d2a74aacee674d0bfa34", size = 1979314, upload-time = "2026-04-20T14:41:49.446Z" },
-    { url = "https://files.pythonhosted.org/packages/d8/36/9ff4d676dfbdfb2d591cf43f3d90ded01e15b1404fd101180ed2d62a2fd3/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:0c9ff69140423eea8ed2d5477df3ba037f671f5e897d206d921bc9fdc39613e7", size = 2056133, upload-time = "2026-04-20T14:42:23.574Z" },
-    { url = "https://files.pythonhosted.org/packages/bc/f0/405b442a4d7ba855b06eec8b2bf9c617d43b8432d099dfdc7bf999293495/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b675ab0a0d5b1c8fdb81195dc5bcefea3f3c240871cdd7ff9a2de8aa50772eb2", size = 2228726, upload-time = "2026-04-20T14:44:22.816Z" },
-    { url = "https://files.pythonhosted.org/packages/e7/f8/65cd92dd5a0bd89ba277a98ecbfaf6fc36bbd3300973c7a4b826d6ab1391/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0087084960f209a9a4af50ecd1fb063d9ad3658c07bb81a7a53f452dacbfb2ba", size = 2301214, upload-time = "2026-04-20T14:44:48.792Z" },
-    { url = "https://files.pythonhosted.org/packages/fd/86/ef96a4c6e79e7a2d0410826a68fbc0eccc0fd44aa733be199d5fcac3bb87/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ed42e6cc8e1b0e2b9b96e2276bad70ae625d10d6d524aed0c93de974ae029f9f", size = 2099927, upload-time = "2026-04-20T14:41:40.196Z" },
-    { url = "https://files.pythonhosted.org/packages/6d/53/269caf30e0096e0a8a8f929d1982a27b3879872cca2d917d17c2f9fdf4fe/pydantic_core-2.46.3-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:f1771ce258afb3e4201e67d154edbbae712a76a6081079fe247c2f53c6322c22", size = 2128789, upload-time = "2026-04-20T14:41:15.868Z" },
-    { url = "https://files.pythonhosted.org/packages/00/b0/1a6d9b6a587e118482910c244a1c5acf4d192604174132efd12bf0ac486f/pydantic_core-2.46.3-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a7610b6a5242a6c736d8ad47fd5fff87fcfe8f833b281b1c409c3d6835d9227f", size = 2173815, upload-time = "2026-04-20T14:44:25.152Z" },
-    { url = "https://files.pythonhosted.org/packages/87/56/e7e00d4041a7e62b5a40815590114db3b535bf3ca0bf4dca9f16cef25246/pydantic_core-2.46.3-cp314-cp314-musllinux_1_1_aarch64.whl", hash = "sha256:ff5e7783bcc5476e1db448bf268f11cb257b1c276d3e89f00b5727be86dd0127", size = 2181608, upload-time = "2026-04-20T14:41:28.933Z" },
-    { url = "https://files.pythonhosted.org/packages/e8/22/4bd23c3d41f7c185d60808a1de83c76cf5aeabf792f6c636a55c3b1ec7f9/pydantic_core-2.46.3-cp314-cp314-musllinux_1_1_armv7l.whl", hash = "sha256:9d2e32edcc143bc01e95300671915d9ca052d4f745aa0a49c48d4803f8a85f2c", size = 2326968, upload-time = "2026-04-20T14:42:03.962Z" },
-    { url = "https://files.pythonhosted.org/packages/24/ac/66cd45129e3915e5ade3b292cb3bc7fd537f58f8f8dbdaba6170f7cabb74/pydantic_core-2.46.3-cp314-cp314-musllinux_1_1_x86_64.whl", hash = "sha256:6e42d83d1c6b87fa56b521479cff237e626a292f3b31b6345c15a99121b454c1", size = 2369842, upload-time = "2026-04-20T14:41:35.52Z" },
-    { url = "https://files.pythonhosted.org/packages/a2/51/dd4248abb84113615473aa20d5545b7c4cd73c8644003b5259686f93996c/pydantic_core-2.46.3-cp314-cp314-win32.whl", hash = "sha256:07bc6d2a28c3adb4f7c6ae46aa4f2d2929af127f587ed44057af50bf1ce0f505", size = 1959661, upload-time = "2026-04-20T14:41:00.042Z" },
-    { url = "https://files.pythonhosted.org/packages/20/eb/59980e5f1ae54a3b86372bd9f0fa373ea2d402e8cdcd3459334430f91e91/pydantic_core-2.46.3-cp314-cp314-win_amd64.whl", hash = "sha256:8940562319bc621da30714617e6a7eaa6b98c84e8c685bcdc02d7ed5e7c7c44e", size = 2071686, upload-time = "2026-04-20T14:43:16.471Z" },
-    { url = "https://files.pythonhosted.org/packages/8c/db/1cf77e5247047dfee34bc01fa9bca134854f528c8eb053e144298893d370/pydantic_core-2.46.3-cp314-cp314-win_arm64.whl", hash = "sha256:5dcbbcf4d22210ced8f837c96db941bdb078f419543472aca5d9a0bb7cddc7df", size = 2026907, upload-time = "2026-04-20T14:43:31.732Z" },
-    { url = "https://files.pythonhosted.org/packages/57/c0/b3df9f6a543276eadba0a48487b082ca1f201745329d97dbfa287034a230/pydantic_core-2.46.3-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:d0fe3dce1e836e418f912c1ad91c73357d03e556a4d286f441bf34fed2dbeecf", size = 2095047, upload-time = "2026-04-20T14:42:37.982Z" },
-    { url = "https://files.pythonhosted.org/packages/66/57/886a938073b97556c168fd99e1a7305bb363cd30a6d2c76086bf0587b32a/pydantic_core-2.46.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:9ce92e58abc722dac1bf835a6798a60b294e48eb0e625ec9fd994b932ac5feee", size = 1934329, upload-time = "2026-04-20T14:43:49.655Z" },
-    { url = "https://files.pythonhosted.org/packages/0b/7c/b42eaa5c34b13b07ecb51da21761297a9b8eb43044c864a035999998f328/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a03e6467f0f5ab796a486146d1b887b2dc5e5f9b3288898c1b1c3ad974e53e4a", size = 1974847, upload-time = "2026-04-20T14:42:10.737Z" },
-    { url = "https://files.pythonhosted.org/packages/e6/9b/92b42db6543e7de4f99ae977101a2967b63122d4b6cf7773812da2d7d5b5/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:2798b6ba041b9d70acfb9071a2ea13c8456dd1e6a5555798e41ba7b0790e329c", size = 2041742, upload-time = "2026-04-20T14:40:44.262Z" },
-    { url = "https://files.pythonhosted.org/packages/0f/19/46fbe1efabb5aa2834b43b9454e70f9a83ad9c338c1291e48bdc4fecf167/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9be3e221bdc6d69abf294dcf7aff6af19c31a5cdcc8f0aa3b14be29df4bd03b1", size = 2236235, upload-time = "2026-04-20T14:41:27.307Z" },
-    { url = "https://files.pythonhosted.org/packages/77/da/b3f95bc009ad60ec53120f5d16c6faa8cabdbe8a20d83849a1f2b8728148/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f13936129ce841f2a5ddf6f126fea3c43cd128807b5a59588c37cf10178c2e64", size = 2282633, upload-time = "2026-04-20T14:44:33.271Z" },
-    { url = "https://files.pythonhosted.org/packages/cc/6e/401336117722e28f32fb8220df676769d28ebdf08f2f4469646d404c43a3/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:28b5f2ef03416facccb1c6ef744c69793175fd27e44ef15669201601cf423acb", size = 2109679, upload-time = "2026-04-20T14:44:41.065Z" },
-    { url = "https://files.pythonhosted.org/packages/fc/53/b289f9bc8756a32fe718c46f55afaeaf8d489ee18d1a1e7be1db73f42cc4/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:830d1247d77ad23852314f069e9d7ddafeec5f684baf9d7e7065ed46a049c4e6", size = 2108342, upload-time = "2026-04-20T14:42:50.144Z" },
-    { url = "https://files.pythonhosted.org/packages/10/5b/8292fc7c1f9111f1b2b7c1b0dcf1179edcd014fc3ea4517499f50b829d71/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d0793c90c1a3c74966e7975eaef3ed30ebdff3260a0f815a62a22adc17e4c01c", size = 2157208, upload-time = "2026-04-20T14:42:08.133Z" },
-    { url = "https://files.pythonhosted.org/packages/2b/9e/f80044e9ec07580f057a89fc131f78dda7a58751ddf52bbe05eaf31db50f/pydantic_core-2.46.3-cp314-cp314t-musllinux_1_1_aarch64.whl", hash = "sha256:d2d0aead851b66f5245ec0c4fb2612ef457f8bbafefdf65a2bf9d6bac6140f47", size = 2167237, upload-time = "2026-04-20T14:42:25.412Z" },
-    { url = "https://files.pythonhosted.org/packages/f8/84/6781a1b037f3b96be9227edbd1101f6d3946746056231bf4ac48cdff1a8d/pydantic_core-2.46.3-cp314-cp314t-musllinux_1_1_armv7l.whl", hash = "sha256:2f40e4246676beb31c5ce77c38a55ca4e465c6b38d11ea1bd935420568e0b1ab", size = 2312540, upload-time = "2026-04-20T14:40:40.313Z" },
-    { url = "https://files.pythonhosted.org/packages/3e/db/19c0839feeb728e7df03255581f198dfdf1c2aeb1e174a8420b63c5252e5/pydantic_core-2.46.3-cp314-cp314t-musllinux_1_1_x86_64.whl", hash = "sha256:cf489cf8986c543939aeee17a09c04d6ffb43bfef8ca16fcbcc5cfdcbed24dba", size = 2369556, upload-time = "2026-04-20T14:41:09.427Z" },
-    { url = "https://files.pythonhosted.org/packages/e0/15/3228774cb7cd45f5f721ddf1b2242747f4eb834d0c491f0c02d606f09fed/pydantic_core-2.46.3-cp314-cp314t-win32.whl", hash = "sha256:ffe0883b56cfc05798bf994164d2b2ff03efe2d22022a2bb080f3b626176dd56", size = 1949756, upload-time = "2026-04-20T14:41:25.717Z" },
-    { url = "https://files.pythonhosted.org/packages/b8/2a/c79cf53fd91e5a87e30d481809f52f9a60dd221e39de66455cf04deaad37/pydantic_core-2.46.3-cp314-cp314t-win_amd64.whl", hash = "sha256:706d9d0ce9cf4593d07270d8e9f53b161f90c57d315aeec4fb4fd7a8b10240d8", size = 2051305, upload-time = "2026-04-20T14:43:18.627Z" },
-    { url = "https://files.pythonhosted.org/packages/0b/db/d8182a7f1d9343a032265aae186eb063fe26ca4c40f256b21e8da4498e89/pydantic_core-2.46.3-cp314-cp314t-win_arm64.whl", hash = "sha256:77706aeb41df6a76568434701e0917da10692da28cb69d5fb6919ce5fdb07374", size = 2026310, upload-time = "2026-04-20T14:41:01.778Z" },
+    { url = "https://files.pythonhosted.org/packages/8d/74/228a26ddad29c6672b805d9fd78e8d251cd04004fa7eed0e622096cd0250/pydantic_core-2.46.4-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:428e04521a40150c85216fc8b85e8d39fece235a9cf5e383761238c7fa9b96fb", size = 2102079, upload-time = "2026-05-06T13:38:41.019Z" },
+    { url = "https://files.pythonhosted.org/packages/ad/1f/8970b150a4b4365623ae00fc88603491f763c627311ae8031e3111356d6e/pydantic_core-2.46.4-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:23ace664830ee0bfe014a0c7bc248b1f7f25ed7ad103852c317624a1083af462", size = 1952179, upload-time = "2026-05-06T13:36:59.812Z" },
+    { url = "https://files.pythonhosted.org/packages/95/30/5211a831ae054928054b2f79731661087a2bc5c01e825c672b3a4a8f1b3e/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ce5c1d2a8b27468f433ca974829c44060b8097eedc39933e3c206a90ee49c4a9", size = 1978926, upload-time = "2026-05-06T13:37:39.933Z" },
+    { url = "https://files.pythonhosted.org/packages/57/e9/689668733b1eb67adeef047db3c2e8788fcf65a7fd9c9e2b46b7744fe245/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7283d57845ecf5a163403eb0702dfc220cc4fbdd18919cb5ccea4f95ee1cdab4", size = 2046785, upload-time = "2026-05-06T13:38:01.995Z" },
+    { url = "https://files.pythonhosted.org/packages/60/d9/6715260422ff50a2109878fd24d948a6c3446bb2664f34ee78cd972b3acd/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8daafc69c93ee8a0204506a3b6b30f586ef54028f52aeeeb5c4cfc5184fd5914", size = 2228733, upload-time = "2026-05-06T13:40:50.371Z" },
+    { url = "https://files.pythonhosted.org/packages/18/ae/fdb2f64316afca925640f8e70bb1a564b0ec2721c1389e25b8eb4bf9a299/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd2213145bcc2ba85884d0ac63d222fece9209678f77b9b4d76f054c561adb28", size = 2307534, upload-time = "2026-05-06T13:37:21.531Z" },
+    { url = "https://files.pythonhosted.org/packages/89/1d/8eff589b45bb8190a9d12c49cfad0f176a5cbd1534908a6b5125e2886239/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7a5f930472650a82629163023e630d160863fce524c616f4e5186e5de9d9a49b", size = 2099732, upload-time = "2026-05-06T13:39:31.942Z" },
+    { url = "https://files.pythonhosted.org/packages/06/d5/ee5a3366637fee41dee51a1fc91562dcf12ddbc68fda34e6b253da2324bb/pydantic_core-2.46.4-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:c1b3f518abeca3aa13c712fd202306e145abf59a18b094a6bafb2d2bbf59192c", size = 2129627, upload-time = "2026-05-06T13:37:25.033Z" },
+    { url = "https://files.pythonhosted.org/packages/94/33/2414be571d2c6a6c4d08be21f9292b6d3fdb08949a97b6dfe985017821db/pydantic_core-2.46.4-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:1a7dd0b3ee80d90150e3495a3a13ac34dbcbfd4f012996a6a1d8900e91b5c0fb", size = 2179141, upload-time = "2026-05-06T13:37:14.046Z" },
+    { url = "https://files.pythonhosted.org/packages/7b/79/7daa95be995be0eecc4cf75064cb33f9bbbfe3fe0158caf2f0d4a996a5c7/pydantic_core-2.46.4-cp314-cp314-musllinux_1_1_aarch64.whl", hash = "sha256:3fb702cd90b0446a3a1c5e470bfa0dd23c0233b676a9099ddcc964fa6ca13898", size = 2184325, upload-time = "2026-05-06T13:36:53.615Z" },
+    { url = "https://files.pythonhosted.org/packages/9f/cb/d0a382f5c0de8a222dc61c65348e0ce831b1f68e0a018450d31c2cace3a5/pydantic_core-2.46.4-cp314-cp314-musllinux_1_1_armv7l.whl", hash = "sha256:b8458003118a712e66286df6a707db01c52c0f52f7db8e4a38f0da1d3b94fc4e", size = 2323990, upload-time = "2026-05-06T13:40:29.971Z" },
+    { url = "https://files.pythonhosted.org/packages/05/db/d9ba624cc4a5aced1598e88c04fdbd8310c8a69b9d38b9a3d39ce3a61ed7/pydantic_core-2.46.4-cp314-cp314-musllinux_1_1_x86_64.whl", hash = "sha256:372429a130e469c9cd698925ce5fc50940b7a1336b0d82038e63d5bbc4edc519", size = 2369978, upload-time = "2026-05-06T13:37:23.027Z" },
+    { url = "https://files.pythonhosted.org/packages/f2/20/d15df15ba918c423461905802bfd2981c3af0bfa0e40d05e13edbfa48bc3/pydantic_core-2.46.4-cp314-cp314-win32.whl", hash = "sha256:85bb3611ff1802f3ee7fdd7dbff26b56f343fb432d57a4728fdd49b6ef35e2f4", size = 1966354, upload-time = "2026-05-06T13:38:03.499Z" },
+    { url = "https://files.pythonhosted.org/packages/fc/b6/6b8de4c0a7d7ab3004c439c80c5c1e0a3e8d78bbae19379b01960383d9e5/pydantic_core-2.46.4-cp314-cp314-win_amd64.whl", hash = "sha256:811ff8e9c313ab425368bcbb36e5c4ebd7108c2bbf4e4089cfbb0b01eff63fac", size = 2072238, upload-time = "2026-05-06T13:39:40.807Z" },
+    { url = "https://files.pythonhosted.org/packages/32/36/51eb763beec1f4cf59b1db243a7dcc39cbb41230f050a09b9d69faaf0a48/pydantic_core-2.46.4-cp314-cp314-win_arm64.whl", hash = "sha256:bfec22eab3c8cc2ceec0248aec886624116dc079afa027ecc8ad4a7e62010f8a", size = 2018251, upload-time = "2026-05-06T13:37:26.72Z" },
+    { url = "https://files.pythonhosted.org/packages/e8/91/855af51d625b23aa987116a19e231d2aaef9c4a415273ddc189b79a45fee/pydantic_core-2.46.4-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:af8244b2bef6aaad6d92cda81372de7f8c8d36c9f0c3ea36e827c60e7d9467a0", size = 2099593, upload-time = "2026-05-06T13:39:47.682Z" },
+    { url = "https://files.pythonhosted.org/packages/fb/1b/8784a54c65edb5f49f0a14d6977cf1b209bba85a4c77445b255c2de58ab3/pydantic_core-2.46.4-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:5a4330cdbc57162e4b3aa303f588ba752257694c9c9be3e7ebb11b4aca659b5d", size = 1935226, upload-time = "2026-05-06T13:40:40.428Z" },
+    { url = "https://files.pythonhosted.org/packages/e8/e7/1955d28d1afc56dd4b3ad7cc0cf39df1b9852964cf16e5d13912756d6d6b/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:29c61fc04a3d840155ff08e475a04809278972fe6aef51e2720554e96367e34b", size = 1974605, upload-time = "2026-05-06T13:37:32.029Z" },
+    { url = "https://files.pythonhosted.org/packages/93/e2/3fedbf0ba7a22850e6e9fd78117f1c0f10f950182344d8a6c535d468fdd8/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c50f2528cf200c5eed56faf3f4e22fcd5f38c157a8b78576e6ba3168ec35f000", size = 2030777, upload-time = "2026-05-06T13:38:55.239Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/61/46be275fcaaba0b4f5b9669dd852267ce1ff616592dccf7a7845588df091/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0cbe8b01f948de4286c74cdd6c667aceb38f5c1e26f0693b3983d9d74887c65e", size = 2236641, upload-time = "2026-05-06T13:37:08.096Z" },
+    { url = "https://files.pythonhosted.org/packages/60/db/12e93e46a8bac9988be3c016860f83293daea8c716c029c9ace279036f2f/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:617d7e2ca7dcb8c5cf6bcb8c59b8832c94b36196bbf1cbd1bfb56ed341905edd", size = 2286404, upload-time = "2026-05-06T13:40:20.221Z" },
+    { url = "https://files.pythonhosted.org/packages/e2/4a/4d8b19008f38d31c53b8219cfedc2e3d5de5fe99d90076b7e767de29274f/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7027560ee92211647d0d34e3f7cd6f50da56399d26a9c8ad0da286d3869a53f3", size = 2109219, upload-time = "2026-05-06T13:38:12.153Z" },
+    { url = "https://files.pythonhosted.org/packages/88/70/3cbc40978fefb7bb09c6708d40d4ad1a5d70fd7213c3d17f971de868ec1f/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:f99626688942fb746e545232e7726926f3be91b5975f8b55327665fafda991c7", size = 2110594, upload-time = "2026-05-06T13:40:02.971Z" },
+    { url = "https://files.pythonhosted.org/packages/9d/20/b8d36736216e29491125531685b2f9e61aa5b4b2599893f8268551da3338/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:fc3e9034a63de20e15e8ade85358bc6efc614008cab72898b4b4952bea0509ff", size = 2159542, upload-time = "2026-05-06T13:39:27.506Z" },
+    { url = "https://files.pythonhosted.org/packages/1d/a2/367df868eb584dacf6bf82a389272406d7178e301c4ac82545ab98bc2dd9/pydantic_core-2.46.4-cp314-cp314t-musllinux_1_1_aarch64.whl", hash = "sha256:97e7cf2be5c77b7d1a9713a05605d49460d02c6078d38d8bef3cbe323c548424", size = 2168146, upload-time = "2026-05-06T13:38:31.93Z" },
+    { url = "https://files.pythonhosted.org/packages/c1/b8/4460f77f7e201893f649a29ab355dddd3beee8a97bcb1a320db414f9a06e/pydantic_core-2.46.4-cp314-cp314t-musllinux_1_1_armv7l.whl", hash = "sha256:3bf92c5d0e00fefaab325a4d27828fe6b6e2a21848686b5b60d2d9eeb09d76c6", size = 2306309, upload-time = "2026-05-06T13:37:44.717Z" },
+    { url = "https://files.pythonhosted.org/packages/64/c4/be2639293acd87dc8ddbcec41a73cee9b2ebf996fe6d892a1a74e88ad3f7/pydantic_core-2.46.4-cp314-cp314t-musllinux_1_1_x86_64.whl", hash = "sha256:3ecbc122d18468d06ca279dc26a8c2e2d5acb10943bb35e36ae92096dc3b5565", size = 2369736, upload-time = "2026-05-06T13:37:05.645Z" },
+    { url = "https://files.pythonhosted.org/packages/30/a6/9f9f380dbb301f67023bf8f707aaa75daadf84f7152d95c410fd7e81d994/pydantic_core-2.46.4-cp314-cp314t-win32.whl", hash = "sha256:e846ae7835bf0703ae43f534ab79a867146dadd59dc9ca5c8b53d5c8f7c9ef02", size = 1955575, upload-time = "2026-05-06T13:38:51.116Z" },
+    { url = "https://files.pythonhosted.org/packages/40/1f/f1eb9eb350e795d1af8586289746f5c5677d16043040d63710e22abc43c9/pydantic_core-2.46.4-cp314-cp314t-win_amd64.whl", hash = "sha256:2108ba5c1c1eca18030634489dc544844144ee36357f2f9f780b93e7ddbb44b5", size = 2051624, upload-time = "2026-05-06T13:38:21.672Z" },
+    { url = "https://files.pythonhosted.org/packages/f6/d2/42dd53d0a85c27606f316d3aa5d2869c4e8470a5ed6dec30e4a1abe19192/pydantic_core-2.46.4-cp314-cp314t-win_arm64.whl", hash = "sha256:4fcbe087dbc2068af7eda3aa87634eba216dbda64d1ae73c8684b621d33f6596", size = 2017325, upload-time = "2026-05-06T13:40:52.723Z" },
 ]

 [[package]]
@@ -3083,18 +3083,18 @@ wheels = [

 [[package]]
 name = "python-kadmin-rs"
-version = "0.7.0"
+version = "0.7.2"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/c6/18/2773570703e5ab13fc0390797685cb6c09b8002d96438c57a8e887cc3234/python_kadmin_rs-0.7.0.tar.gz", hash = "sha256:e8a539fda1a1006fe5f0868c0e59a36b3b90d451da9c0c2bc3a9bfc7173efbdc", size = 112469, upload-time = "2026-01-15T17:49:10.467Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/ab/96/f5ed764f06621d1c06b469ec2a24c2da64a0fdb9f13d1c7005c70fd7804d/python_kadmin_rs-0.7.2.tar.gz", hash = "sha256:1f57ab7b61540c420eb684154e56638d42e4bafe2ac66362c2d667cda7d0ce8c", size = 119177, upload-time = "2026-05-11T13:31:19.071Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/71/05/94e7575a69ea5d3fc23d4df4a8e4d5acb6f6d3633f23b0a8b6b6360da775/python_kadmin_rs-0.7.0-cp314-cp314-macosx_14_0_arm64.whl", hash = "sha256:d1418825ba6c161d504b7905a99ef475d5ec1fdf15e6f5b72e4641f350fbc261", size = 510261, upload-time = "2026-01-15T17:48:52.002Z" },
-    { url = "https://files.pythonhosted.org/packages/d7/16/58671c341caef38a492e327cf3e0b24aba2842419da15566f8e3d42c9382/python_kadmin_rs-0.7.0-cp314-cp314-macosx_14_0_x86_64.whl", hash = "sha256:b247bc5f5a075107088cdcec22c67125aa6706fdcd2e264a99a478f1bedecd7d", size = 527751, upload-time = "2026-01-15T17:48:53.504Z" },
-    { url = "https://files.pythonhosted.org/packages/b3/d1/505e34ce204601aae0fcecaf56c66e808803426199948d3a26a6c16a9e5b/python_kadmin_rs-0.7.0-cp314-cp314-manylinux_2_28_aarch64.whl", hash = "sha256:8e6d8ea17a02bb0527219abadac08a63a47f97351f41c79fade77dd11a380795", size = 552634, upload-time = "2026-01-15T17:48:54.96Z" },
-    { url = "https://files.pythonhosted.org/packages/0b/51/391a3d8ee99aeb2466efe499e52ef6a7479d7ac426635d92cd050a5fe3f9/python_kadmin_rs-0.7.0-cp314-cp314-manylinux_2_28_x86_64.whl", hash = "sha256:82107ee5ea3dc1a3b716323687febc64ed2fa462ebd986565fba7394add04792", size = 554659, upload-time = "2026-01-15T17:48:56.408Z" },
-    { url = "https://files.pythonhosted.org/packages/c2/77/6a2fe8a9bef6e3d94f842492db7216c4d0a47c5a67a8a7265c126ed5be58/python_kadmin_rs-0.7.0-cp314-cp314t-macosx_14_0_arm64.whl", hash = "sha256:ed58ec35dd89a381408fa92f0404d6321f2e6687c58c974f820f113a7052f39f", size = 512638, upload-time = "2026-01-15T17:48:58.519Z" },
-    { url = "https://files.pythonhosted.org/packages/ef/e4/ddd909d4b5ff00a3ed277699f3e2204785367a52088dcb41465b8e01f733/python_kadmin_rs-0.7.0-cp314-cp314t-macosx_14_0_x86_64.whl", hash = "sha256:6a6b63680e10a450e553a84a15216f61af838d86d623caec1fb1c2977907d1ef", size = 530752, upload-time = "2026-01-15T17:49:00.108Z" },
-    { url = "https://files.pythonhosted.org/packages/fd/b2/7d4ea81b768a4ea6be57d9bc70f1841828483a092598b60243a7ad8c798c/python_kadmin_rs-0.7.0-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:e48cdf80bdece9fdcc70d9ef9237821ae9366cf7944742cd412ac2ebd07a40cc", size = 553270, upload-time = "2026-01-15T17:49:01.682Z" },
-    { url = "https://files.pythonhosted.org/packages/26/b7/87851916c895f31e67a9fe827dabfe3a2f09cf8ecf090cb4ac513f100157/python_kadmin_rs-0.7.0-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:e63aec5daa1a8469f5b617aa8a5b5a689e2b18241026c7e666ca0f8b5e8688c8", size = 556308, upload-time = "2026-01-15T17:49:03.199Z" },
+    { url = "https://files.pythonhosted.org/packages/63/f2/e86b79e1cc8d43c8865f65b5b9c7b06fbfb56e56b812bd279c38faa100cd/python_kadmin_rs-0.7.2-cp314-cp314-macosx_14_0_arm64.whl", hash = "sha256:2c77b425805669831e2c4eb316304b9f4690ac27a74cb34e2b92dc0979ab0d3c", size = 512988, upload-time = "2026-05-11T13:31:01.655Z" },
+    { url = "https://files.pythonhosted.org/packages/17/d6/200dd8ca05bbdf48d77050a0a75c183fca740f2d33e59c8083832514d300/python_kadmin_rs-0.7.2-cp314-cp314-macosx_14_0_x86_64.whl", hash = "sha256:403c04a395f42d87cbfa46d60f9145841a8b5c6d8ac1f2dab0f457e3e3b7049c", size = 527527, upload-time = "2026-05-11T13:31:03.528Z" },
+    { url = "https://files.pythonhosted.org/packages/54/03/e9ebb35c7c1441722ced8097c19c1737b1db28c18d9a0c219fe12fe94257/python_kadmin_rs-0.7.2-cp314-cp314-manylinux_2_28_aarch64.whl", hash = "sha256:5f1560747e1a936cc9509c87d45180e351096b3be47c8af81a6f3dd4516ca34b", size = 564813, upload-time = "2026-05-11T13:31:05.464Z" },
+    { url = "https://files.pythonhosted.org/packages/f9/d8/c2706859bec76cc629d7665effd6fd540d31b10631d800796269806c86cc/python_kadmin_rs-0.7.2-cp314-cp314-manylinux_2_28_x86_64.whl", hash = "sha256:cb51f980597383c4f4adb308e3e4c0c796e5dba560f68b17e4b3cd269c043ae2", size = 562188, upload-time = "2026-05-11T13:31:06.875Z" },
+    { url = "https://files.pythonhosted.org/packages/00/ad/808be9b2b5a52ff0244e323a4d2ec00b66c21c98e49088399a744da15085/python_kadmin_rs-0.7.2-cp314-cp314t-macosx_14_0_arm64.whl", hash = "sha256:08fea0f139d5cfdcda24446355578071b8ac02223bb9433077b895df6655cb9e", size = 511783, upload-time = "2026-05-11T13:31:08.291Z" },
+    { url = "https://files.pythonhosted.org/packages/0c/9a/73ab8930b37eafa3a41341c245df6066d38a5b8076cae4f39d7f59eab7bb/python_kadmin_rs-0.7.2-cp314-cp314t-macosx_14_0_x86_64.whl", hash = "sha256:ff124a363e6c8707d738191969e22c08d2cef73b3d6fc0ce86f1dcd81715e170", size = 526356, upload-time = "2026-05-11T13:31:10.137Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/26/acddc2766900537b94e923ecd12c9f4d5ee6a0f551ffe7998826055c8193/python_kadmin_rs-0.7.2-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:5124b7f27b67d034c6c13ebfbb65c036e197e30bc47c457853489e08d535cb3c", size = 561923, upload-time = "2026-05-11T13:31:11.843Z" },
+    { url = "https://files.pythonhosted.org/packages/d8/4e/42b317789b5e204995431762b7dcede1544581ee5caacebac36d8991f478/python_kadmin_rs-0.7.2-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:0741de2fd55338b356a424899c2cc400314dd57ae2031ed879a2765edfc2f0a1", size = 562006, upload-time = "2026-05-11T13:31:13.206Z" },
 ]

 [[package]]
@@ -3332,15 +3332,15 @@ wheels = [

 [[package]]
 name = "sentry-sdk"
-version = "2.58.0"
+version = "2.59.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
    { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/26/b3/fb8291170d0e844173164709fc0fa0c221ed75a5da740c8746f2a83b4eb1/sentry_sdk-2.58.0.tar.gz", hash = "sha256:c1144d947352d54e5b7daa63596d9f848adf684989c06c4f5a659f0c85a18f6f", size = 438764, upload-time = "2026-04-13T17:23:26.265Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/65/e0/9bf5e5fc7442b10880f3ec0eff0ef4208b84a099606f343ec4f5445227fb/sentry_sdk-2.59.0.tar.gz", hash = "sha256:cd265808ef8bf3f3edf69b527c0a0b2b6b1322762679e55b8987db2e9584aec1", size = 447331, upload-time = "2026-05-04T12:19:06.538Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/fa/eb/d875669993b762556ae8b2efd86219943b4c0864d22204d622a9aee3052b/sentry_sdk-2.58.0-py2.py3-none-any.whl", hash = "sha256:688d1c704ddecf382ea3326f21a67453d4caa95592d722b7c780a36a9d23109e", size = 460919, upload-time = "2026-04-13T17:23:24.675Z" },
+    { url = "https://files.pythonhosted.org/packages/bf/00/b8cc413748fb6383d1582e7cda51314f99743351c462a92dc690d5b5853b/sentry_sdk-2.59.0-py2.py3-none-any.whl", hash = "sha256:abcf65ee9a9d9cdebf9ad369782408ecca9c1c792686ef06ba34f5ab233527fe", size = 468432, upload-time = "2026-05-04T12:19:04.741Z" },
 ]

 [[package]]
@@ -3524,7 +3524,7 @@ wheels = [

 [[package]]
 name = "twilio"
-version = "9.10.5"
+version = "9.10.9"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "aiohttp" },
@@ -3532,9 +3532,9 @@ dependencies = [
    { name = "pyjwt" },
    { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b5/97/c439bc2c058f8a24edd732f5cc82adedd8794bcc2da0836c2eff1e2dbe91/twilio-9.10.5.tar.gz", hash = "sha256:d9f93b9280349ee7b52e7f17a0600fd7bfd0f7ff88eb00c40270164bc058743f", size = 1641690, upload-time = "2026-04-14T09:52:09.392Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/30/af/275130be4783c6e2b2122d3b278b63da0007611d1dc073d6414adcc6be03/twilio-9.10.9.tar.gz", hash = "sha256:eb74fc026c85a89372836414f57e262119efaa160b9419cf4d05b59056b8e89d", size = 1762839, upload-time = "2026-05-07T17:34:38.162Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/4a/97/4fdde5e54fcbb789aa1a70c371f2f33d7eb1e58e8a6131fdbd8a98490976/twilio-9.10.5-py2.py3-none-any.whl", hash = "sha256:7972db54496fbf501b238f34d1f717f80ff22720313dc706632787aad5934997", size = 2284944, upload-time = "2026-04-14T09:52:07.333Z" },
+    { url = "https://files.pythonhosted.org/packages/ed/6b/df08b499d01ba6b9f7f42f9dd51b82aab1eb26c93602f3b89179a520494f/twilio-9.10.9-py2.py3-none-any.whl", hash = "sha256:1c50bfb394b5dbc044bacab24b2e3b550bee0c08da51c4a1fa4816293303e66c", size = 2452983, upload-time = "2026-05-07T17:34:36.459Z" },
 ]

 [[package]]
@@ -3663,14 +3663,14 @@ wheels = [

 [[package]]
 name = "types-requests"
-version = "2.33.0.20260408"
+version = "2.33.0.20260503"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/69/6a/749dc53a54a3f35842c1f8197b3ca6b54af6d7458a1bfc75f6629b6da666/types_requests-2.33.0.20260408.tar.gz", hash = "sha256:95b9a86376807a216b2fb412b47617b202091c3ea7c078f47cc358d5528ccb7b", size = 23882, upload-time = "2026-04-08T04:34:49.33Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/a1/b8/57e94268c0d82ac3eaa2fc35aa8ca7bbc2542f726b67dcf90b0b00a3b14d/types_requests-2.33.0.20260503.tar.gz", hash = "sha256:9721b2d9dbee7131f2fb39f20f0ebb1999c18cef4b512c9a7932f3722de7c5f4", size = 23931, upload-time = "2026-05-03T05:20:08.882Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/90/b8/78fd6c037de4788c040fdd323b3369804400351b7827473920f6c1d03c10/types_requests-2.33.0.20260408-py3-none-any.whl", hash = "sha256:81f31d5ea4acb39f03be7bc8bed569ba6d5a9c5d97e89f45ac43d819b68ca50f", size = 20739, upload-time = "2026-04-08T04:34:48.325Z" },
+    { url = "https://files.pythonhosted.org/packages/c3/82/959113a6351f3ca046cd0a8cd2cee071d7ea47473560557a01eeae9a6fe2/types_requests-2.33.0.20260503-py3-none-any.whl", hash = "sha256:02aaa7e3577a13471715bb1bddb693cc985ea514f754b503bf033e6a09a3e528", size = 20736, upload-time = "2026-05-03T05:20:07.858Z" },
 ]

 [[package]]
@@ -3743,32 +3743,32 @@ wheels = [

 [[package]]
 name = "ujson"
-version = "5.12.0"
+version = "5.12.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/cb/3e/c35530c5ffc25b71c59ae0cd7b8f99df37313daa162ce1e2f7925f7c2877/ujson-5.12.0.tar.gz", hash = "sha256:14b2e1eb528d77bc0f4c5bd1a7ebc05e02b5b41beefb7e8567c9675b8b13bcf4", size = 7158451, upload-time = "2026-03-11T22:19:30.397Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/bc/78/937198ea8708182dd1edbf0237bf255a96feab3f511691ad08b84da98e5d/ujson-5.12.1.tar.gz", hash = "sha256:5b7e96406c301a1366534479a7352ec40ec68bb327c0c119091635acd5925e35", size = 7164538, upload-time = "2026-05-05T22:05:01.354Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/10/bd/9a8d693254bada62bfea75a507e014afcfdb6b9d047b6f8dd134bfefaf67/ujson-5.12.0-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:85833bca01aa5cae326ac759276dc175c5fa3f7b3733b7d543cf27f2df12d1ef", size = 56499, upload-time = "2026-03-11T22:18:45.431Z" },
-    { url = "https://files.pythonhosted.org/packages/bd/2d/285a83df8176e18dcd675d1a4cff8f7620f003f30903ea43929406e98986/ujson-5.12.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:d22cad98c2a10bbf6aa083a8980db6ed90d4285a841c4de892890c2b28286ef9", size = 53998, upload-time = "2026-03-11T22:18:47.184Z" },
-    { url = "https://files.pythonhosted.org/packages/bf/8b/e2f09e16dabfa91f6a84555df34a4329fa7621e92ed054d170b9054b9bb2/ujson-5.12.0-cp314-cp314-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:99cc80facad240b0c2fb5a633044420878aac87a8e7c348b9486450cba93f27c", size = 57783, upload-time = "2026-03-11T22:18:48.271Z" },
-    { url = "https://files.pythonhosted.org/packages/68/fb/ba1d06f3658a0c36d0ab3869ec3914f202bad0a9bde92654e41516c7bb13/ujson-5.12.0-cp314-cp314-manylinux_2_24_i686.manylinux_2_28_i686.whl", hash = "sha256:d1831c07bd4dce53c4b666fa846c7eba4b7c414f2e641a4585b7f50b72f502dc", size = 60011, upload-time = "2026-03-11T22:18:49.284Z" },
-    { url = "https://files.pythonhosted.org/packages/64/2b/3e322bf82d926d9857206cd5820438d78392d1f523dacecb8bd899952f73/ujson-5.12.0-cp314-cp314-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0e00cec383eab2406c9e006bd4edb55d284e94bb943fda558326048178d26961", size = 57465, upload-time = "2026-03-11T22:18:50.584Z" },
-    { url = "https://files.pythonhosted.org/packages/e9/fd/af72d69603f9885e5136509a529a4f6d88bf652b457263ff96aefcd3ab7d/ujson-5.12.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:f19b3af31d02a2e79c5f9a6deaab0fb3c116456aeb9277d11720ad433de6dfc6", size = 1037275, upload-time = "2026-03-11T22:18:51.998Z" },
-    { url = "https://files.pythonhosted.org/packages/9c/a7/a2411ec81aef7872578e56304c3e41b3a544a9809e95c8e1df46923fc40b/ujson-5.12.0-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:bacbd3c69862478cbe1c7ed4325caedec580d8acf31b8ee1b9a1e02a56295cad", size = 1196758, upload-time = "2026-03-11T22:18:53.548Z" },
-    { url = "https://files.pythonhosted.org/packages/ed/85/aa18ae175dd03a118555aa14304d4f466f9db61b924c97c6f84388ecacb1/ujson-5.12.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:94c5f1621cbcab83c03be46441f090b68b9f307b6c7ec44d4e3f6d5997383df4", size = 1089760, upload-time = "2026-03-11T22:18:55.336Z" },
-    { url = "https://files.pythonhosted.org/packages/d3/d4/4b40b67ac7e916ebffc3041ae2320c5c0b8a045300d4c542b6e50930cca5/ujson-5.12.0-cp314-cp314-win32.whl", hash = "sha256:e6369ac293d2cc40d52577e4fa3d75a70c1aae2d01fa3580a34a4e6eff9286b9", size = 41043, upload-time = "2026-03-11T22:18:56.505Z" },
-    { url = "https://files.pythonhosted.org/packages/24/38/a1496d2a3428981f2b3a2ffbb4656c2b05be6cc406301d6b10a6445f6481/ujson-5.12.0-cp314-cp314-win_amd64.whl", hash = "sha256:31348a0ffbfc815ce78daac569d893349d85a0b57e1cd2cdbba50b7f333784da", size = 45303, upload-time = "2026-03-11T22:18:57.454Z" },
-    { url = "https://files.pythonhosted.org/packages/85/d3/39dbd3159543d9c57ec3a82d36226152cf0d710784894ce5aa24b8220ac1/ujson-5.12.0-cp314-cp314-win_arm64.whl", hash = "sha256:6879aed770557f0961b252648d36f6fdaab41079d37a2296b5649fd1b35608e0", size = 39860, upload-time = "2026-03-11T22:18:58.578Z" },
-    { url = "https://files.pythonhosted.org/packages/c3/71/9b4dacb177d3509077e50497222d39eec04c8b41edb1471efc764d645237/ujson-5.12.0-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:7ddb08b3c2f9213df1f2e3eb2fbea4963d80ec0f8de21f0b59898e34f3b3d96d", size = 56845, upload-time = "2026-03-11T22:18:59.629Z" },
-    { url = "https://files.pythonhosted.org/packages/24/c2/8abffa3be1f3d605c4a62445fab232b3e7681512ce941c6b23014f404d36/ujson-5.12.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:0a3ae28f0b209be5af50b54ca3e2123a3de3a57d87b75f1e5aa3d7961e041983", size = 54463, upload-time = "2026-03-11T22:19:00.697Z" },
-    { url = "https://files.pythonhosted.org/packages/db/2e/60114a35d1d6796eb428f7affcba00a921831ff604a37d9142c3d8bbe5c5/ujson-5.12.0-cp314-cp314t-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d30ad4359413c8821cc7b3707f7ca38aa8bc852ba3b9c5a759ee2d7740157315", size = 58689, upload-time = "2026-03-11T22:19:01.739Z" },
-    { url = "https://files.pythonhosted.org/packages/c8/ad/010925c2116c21ce119f9c2ff18d01f48a19ade3ff4c5795da03ce5829fc/ujson-5.12.0-cp314-cp314t-manylinux_2_24_i686.manylinux_2_28_i686.whl", hash = "sha256:02f93da7a4115e24f886b04fd56df1ee8741c2ce4ea491b7ab3152f744ad8f8e", size = 60618, upload-time = "2026-03-11T22:19:03.101Z" },
-    { url = "https://files.pythonhosted.org/packages/9b/74/db7f638bf20282b1dccf454386cbd483faaaed3cdbb9cb27e06f74bb109e/ujson-5.12.0-cp314-cp314t-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:3ff4ede90ed771140caa7e1890de17431763a483c54b3c1f88bd30f0cc1affc0", size = 58151, upload-time = "2026-03-11T22:19:04.175Z" },
-    { url = "https://files.pythonhosted.org/packages/9c/7e/3ebaecfa70a2e8ce623db8e21bd5cb05d42a5ef943bcbb3309d71b5de68d/ujson-5.12.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:a7bf9cc97f05048ac8f3e02cd58f0fe62b901453c24345bfde287f4305dcc31c", size = 1038117, upload-time = "2026-03-11T22:19:05.558Z" },
-    { url = "https://files.pythonhosted.org/packages/2e/aa/e073eda7f0036c2973b28db7bb99faba17a932e7b52d801f9bb3e726271f/ujson-5.12.0-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:2324d9a0502317ffc35d38e153c1b2fa9610ae03775c9d0f8d0cca7b8572b04e", size = 1197434, upload-time = "2026-03-11T22:19:06.92Z" },
-    { url = "https://files.pythonhosted.org/packages/1c/01/b9a13f058fdd50c746b192c4447ca8d6352e696dcda912ccee10f032ff85/ujson-5.12.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:50524f4f6a1c839714dbaff5386a1afb245d2d5ec8213a01fbc99cea7307811e", size = 1090401, upload-time = "2026-03-11T22:19:08.383Z" },
-    { url = "https://files.pythonhosted.org/packages/c4/37/3d1b4e0076b6e43379600b5229a5993db8a759ff2e1830ea635d876f6644/ujson-5.12.0-cp314-cp314t-win32.whl", hash = "sha256:f7a0430d765f9bda043e6aefaba5944d5f21ec43ff4774417d7e296f61917382", size = 41880, upload-time = "2026-03-11T22:19:09.671Z" },
-    { url = "https://files.pythonhosted.org/packages/b1/c5/3c2a262a138b9f0014fe1134a6b5fdc2c54245030affbaac2fcbc0632138/ujson-5.12.0-cp314-cp314t-win_amd64.whl", hash = "sha256:ccbfd94e59aad4a2566c71912b55f0547ac1680bfac25eb138e6703eb3dd434e", size = 46365, upload-time = "2026-03-11T22:19:10.662Z" },
-    { url = "https://files.pythonhosted.org/packages/83/40/956dc20b7e00dc0ff3259871864f18dab211837fce3478778bedb3132ac1/ujson-5.12.0-cp314-cp314t-win_arm64.whl", hash = "sha256:42d875388fbd091c7ea01edfff260f839ba303038ffb23475ef392012e4d63dd", size = 40398, upload-time = "2026-03-11T22:19:11.666Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/ca/d88d86f90f8f237985f3e347b9a4f9fa24e8d30d19ec7d477ed18aa58393/ujson-5.12.1-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:6f19e9a407a24230df0cc1ec1c0f5999872ba526b14a780f80ad6479f5eed9bc", size = 58099, upload-time = "2026-05-05T22:04:06.688Z" },
+    { url = "https://files.pythonhosted.org/packages/ae/2d/a0a88407cee3550f7ed1e49b41157ee2d410f51905ed51fb134844255280/ujson-5.12.1-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:8b657e870c77aaacdeea86cfad3e6d2ef9b52517e45988c9c367f7ee764fe4dd", size = 55631, upload-time = "2026-05-05T22:04:07.925Z" },
+    { url = "https://files.pythonhosted.org/packages/a9/6d/12a3b8e72132db244ae048075e71a0079b3c5f61ff45b7ca81d5193ab3e7/ujson-5.12.1-cp314-cp314-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:984b5a99d1e0a037c2046c3c4b34cec832565d62d5017be0a035bf3cbfab72dc", size = 59469, upload-time = "2026-05-05T22:04:09.208Z" },
+    { url = "https://files.pythonhosted.org/packages/a2/72/310f8c21737554f2d2b4f1883e1a71e8a6ab0d8f92f0feb8aaa85e0f4b66/ujson-5.12.1-cp314-cp314-manylinux_2_24_i686.manylinux_2_28_i686.whl", hash = "sha256:f48ef8a16f1d85bd7982beac7adfd3fb704058631db84c1c61c8a1b7072b1508", size = 61611, upload-time = "2026-05-05T22:04:10.836Z" },
+    { url = "https://files.pythonhosted.org/packages/50/50/ab4b2f7bab6c7a67298c8f2aca80e2082eaf6f332cf2d099762647b5301e/ujson-5.12.1-cp314-cp314-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4f39ba3b65cc637b59731532f7e7c807786bff1d0332ab2d5b96a04d2584d78f", size = 59122, upload-time = "2026-05-05T22:04:12.137Z" },
+    { url = "https://files.pythonhosted.org/packages/21/48/5d81cbe76fc2aa9e071aa489a3041cf0712f5e0663d60d501641f92b7bb4/ujson-5.12.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:07f307780f85b49cba93f291718421b6f5f3b627a323b431fad937a18f6587cb", size = 1038938, upload-time = "2026-05-05T22:04:13.548Z" },
+    { url = "https://files.pythonhosted.org/packages/fb/a7/abe1acb0e5d8b8d724b35533a44c89684c88100a5fd9f2fee7f7155528d5/ujson-5.12.1-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:1c335caea51c31494e514b82d50763b9792d3960d2c7d9fdb6b6fb8ed50ebdd0", size = 1198416, upload-time = "2026-05-05T22:04:15.609Z" },
+    { url = "https://files.pythonhosted.org/packages/ed/6e/087067d6ee22bd01bfba9fb1f32ce98c24ae2bcbab53bd2fbf8f7a80fe9e/ujson-5.12.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:19ea07e29a45d199f926aadf93a9974128438c01b83141fba32477c0ee604b33", size = 1091425, upload-time = "2026-05-05T22:04:17.909Z" },
+    { url = "https://files.pythonhosted.org/packages/4e/d2/28938574b766980f873b68962abb4c68a944d939446768982934ad3bcd93/ujson-5.12.1-cp314-cp314-win32.whl", hash = "sha256:c8e626b6bc9bdd2e8f7393b7d99f3daa2ca4022e6203662e70de7bb3604b21b9", size = 42334, upload-time = "2026-05-05T22:04:19.85Z" },
+    { url = "https://files.pythonhosted.org/packages/49/b0/0af30bf65d96b73c28054b344ebbe24bc96780ae8a7f2973f5dad979510a/ujson-5.12.1-cp314-cp314-win_amd64.whl", hash = "sha256:c6d3bdd020333688ee60559437021ed68a98a28fdd609b5af16de5dd58f90cba", size = 46586, upload-time = "2026-05-05T22:04:21.298Z" },
+    { url = "https://files.pythonhosted.org/packages/4e/3b/0ee2555823724e60cc847c715c299f5792aa444bdde69c51d4aa42d885c2/ujson-5.12.1-cp314-cp314-win_arm64.whl", hash = "sha256:e3c9c894971f4ada3ded16a804ed4640e1f2b3e5239beaeec7c48296f39f4232", size = 41178, upload-time = "2026-05-05T22:04:22.597Z" },
+    { url = "https://files.pythonhosted.org/packages/3f/3d/7547835cd0b7fa22eb1122702f81b2403c38a0027a2cc0d75acc449a4a66/ujson-5.12.1-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:49dd9c378e1c8e676785ff2b62cb490074229f15ab54abf45b623713cb2c36b5", size = 58565, upload-time = "2026-05-05T22:04:23.75Z" },
+    { url = "https://files.pythonhosted.org/packages/ed/6a/1784e0b24aab50623eb47b2f7a8dc22c9d809d798854d2568a9cb7c3560f/ujson-5.12.1-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:6d8827904358d7da59ccf2e1fd8de59e78248036d17fecc0462e62c6721f1102", size = 56157, upload-time = "2026-05-05T22:04:25.028Z" },
+    { url = "https://files.pythonhosted.org/packages/91/2d/2c1b24df24eee309047d81460c3a1acf0d047207327edc6f3cab8a614985/ujson-5.12.1-cp314-cp314t-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:dc26caebea90425662ef0b979f945f6ac832651881107d6ec9a3c4d4a4ba929c", size = 60288, upload-time = "2026-05-05T22:04:26.273Z" },
+    { url = "https://files.pythonhosted.org/packages/c5/14/c0c603e3dff2ef98f7deee2df7795e6055abbc5825c6ef530024b3b06a15/ujson-5.12.1-cp314-cp314t-manylinux_2_24_i686.manylinux_2_28_i686.whl", hash = "sha256:45022aae09ac3d45bda6fbfc631088d1aff9a0465542d40bd6d295ced378c430", size = 62302, upload-time = "2026-05-05T22:04:27.516Z" },
+    { url = "https://files.pythonhosted.org/packages/5c/0d/889bbc044561d9adc9bf413620fbd9878f352c9fd36da829d319bca2f5ad/ujson-5.12.1-cp314-cp314t-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:b22aa0f644516d3d5b29464949e4b23fe784f84b4a1030ab9ac3cb42aaedabb1", size = 59784, upload-time = "2026-05-05T22:04:28.776Z" },
+    { url = "https://files.pythonhosted.org/packages/18/35/3b1d8ff8cd6dc048f5c495af6ee6ded43055562610a7e9b78b438dc6421e/ujson-5.12.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:7dc5cf44ea42365cd1b66e6ed3fc6ca040c86587b024a6659b98e99d31cff2cd", size = 1039759, upload-time = "2026-05-05T22:04:30.291Z" },
+    { url = "https://files.pythonhosted.org/packages/6a/d8/3c66cdf839420a6da2d6140a54a882c15efd135bcced103bd4473d577636/ujson-5.12.1-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:8df5d984ff4ac1ef292d70f30da03417038a7e1e0bc272d28ca9d34f02f41682", size = 1199121, upload-time = "2026-05-05T22:04:31.961Z" },
+    { url = "https://files.pythonhosted.org/packages/54/51/c3d1b94a4ad27dc7532e9f7d00b869463157cede2295ba6d57566afeb8cd/ujson-5.12.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:485f0182a0c0b54c304061cdc826d8343ce595c4055f7a24e72772a8520e5f7b", size = 1092085, upload-time = "2026-05-05T22:04:33.697Z" },
+    { url = "https://files.pythonhosted.org/packages/ae/52/4d4a6e78290a5eef3f576f6d281e6355535db903a08483fd1bb393bf8cb9/ujson-5.12.1-cp314-cp314t-win32.whl", hash = "sha256:4e12ca368b397aed7fa1eec534ea1ba8d94977b376f9df3e93ae1acfd004ec40", size = 43243, upload-time = "2026-05-05T22:04:35.486Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/c8/849366785de52b513e5fc89d7aea0b531e71bb5641407cbdfdf47a99ede8/ujson-5.12.1-cp314-cp314t-win_amd64.whl", hash = "sha256:cec6b9b539539affc1f01a795c99574592a635ce22331b64f2b42e0af570659e", size = 47662, upload-time = "2026-05-05T22:04:37.07Z" },
+    { url = "https://files.pythonhosted.org/packages/8a/46/36a67f5a531a15308124786f3e2b7b96414b9d23dbcdc2a182dd3ffa2e1d/ujson-5.12.1-cp314-cp314t-win_arm64.whl", hash = "sha256:696224d4cfb8883fa5c0285dff31e5ce924704dd9ccd38e9ea8b5bf4a42b12fc", size = 41680, upload-time = "2026-05-05T22:04:39.083Z" },
 ]

 [[package]]
@@ -3791,11 +3791,11 @@ wheels = [

 [[package]]
 name = "urllib3"
-version = "2.6.3"
+version = "2.7.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c", size = 433602, upload-time = "2026-05-07T16:13:18.596Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
+    { url = "https://files.pythonhosted.org/packages/7f/3e/5db95bcf282c52709639744ca2a8b149baccf648e39c8cc87553df9eae0c/urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897", size = 131087, upload-time = "2026-05-07T16:13:17.151Z" },
 ]

 [package.optional-dependencies]
--- a/web/README.md
+++ b/web/README.md
@@ -3,6 +3,27 @@
 This is the default UI for the authentik server. The documentation is going to be a little sparse
 for awhile, but at least let's get started.

+# Setup
+
+Install dependencies from the repo root with `make node-install` (or `make install` for the full
+Python + web + docs bootstrap). This wraps `npm ci` and explicitly rebuilds the small set of
+packages whose install scripts are required for the toolchain to function — currently `esbuild`,
+`chromedriver`, `tree-sitter`, and `tree-sitter-json`.
+
+The repo-root `.npmrc` sets `ignore-scripts=true` to neutralize the dominant npm supply-chain
+attack vector. As a side effect, running `npm ci` directly in this directory will install
+dependencies but skip those rebuilds, leaving `esbuild` and `chromedriver` in a non-functional
+state. If you bypass `make`, run the rebuild step yourself:
+
+```bash
+npm rebuild --ignore-scripts=false --foreground-scripts \
+    esbuild chromedriver tree-sitter tree-sitter-json
+```
+
+New dependencies that ship install scripts must be audited and added to `TRUSTED_INSTALL_SCRIPTS`
+in the repo-root `Makefile`. Each entry is arbitrary code that runs at install time, so the list
+is intentionally small.
+
 # The Theory of the authentik UI

 In Peter Naur's 1985 essay [Programming as Theory
--- a/web/icons/brand.png
+++ b/web/icons/brand.png
--- a/web/icons/brand.svg
+++ b/web/icons/brand.svg
@@ -1 +1 @@
-<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 144.29"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M106,41.08h25.39v101.2H106v-10.7a50,50,0,0,1-14.92,10.19,41.84,41.84,0,0,1-16.21,3.11q-19.61,0-33.91-15.21T26.64,91.86q0-23.43,13.85-38.41t33.63-15a42.78,42.78,0,0,1,17.09,3.44A46.82,46.82,0,0,1,106,52.24ZM79.29,61.91a25.65,25.65,0,0,0-19.56,8.33q-7.78,8.33-7.79,21.34t7.93,21.58a25.66,25.66,0,0,0,19.51,8.47,26.15,26.15,0,0,0,19.84-8.33q7.88-8.33,7.88-21.81,0-13.2-7.88-21.39T79.29,61.91Z"/><path class="cls-1" d="M168.39,41.08h25.67V89.82q0,14.22,2,19.76a17.24,17.24,0,0,0,6.29,8.61A18.06,18.06,0,0,0,213,121.26a18.6,18.6,0,0,0,10.77-3,17.7,17.7,0,0,0,6.57-8.88q1.59-4.36,1.59-18.7V41.08h25.39V84q0,26.51-4.18,36.27a39.6,39.6,0,0,1-15.07,18.28q-10,6.38-25.3,6.37-16.65,0-26.93-7.44T171.36,116.7q-3-9.21-3-33.49Z"/><path class="cls-1" d="M297.3,3.78h25.39v37.3h15.07V62.93H322.69v79.35H297.3V62.93h-13V41.08h13Z"/><path class="cls-1" d="M362.86,2h25.21v49.3a57.74,57.74,0,0,1,15-9.63,38.56,38.56,0,0,1,15.25-3.21,34.36,34.36,0,0,1,25.39,10.42q8.83,9,8.84,26.51v66.88h-25V97.91q0-17.58-1.68-23.81t-5.71-9.3a16.07,16.07,0,0,0-10-3.07,18.85,18.85,0,0,0-13.26,5.11q-5.53,5.11-7.67,14-1.12,4.56-1.12,20.84v40.65H362.86Z"/><path class="cls-1" d="M589.91,99H508.33q1.77,10.78,9.44,17.16t19.58,6.37a33.86,33.86,0,0,0,24.46-10l21.4,10a50.54,50.54,0,0,1-19.16,16.79q-11.16,5.44-26.51,5.44-23.82,0-38.79-15t-15-37.63q0-23.16,14.93-38.46t37.44-15.3q23.91,0,38.88,15.3t15,40.42Zm-25.4-20a25.48,25.48,0,0,0-9.92-13.77A28.81,28.81,0,0,0,537.4,60a30.42,30.42,0,0,0-18.64,5.95q-5,3.72-9.31,13.12Z"/><path class="cls-1" d="M621.89,41.08h25.39V51.45q8.64-7.29,15.65-10.13a37.82,37.82,0,0,1,14.35-2.85A34.77,34.77,0,0,1,702.83,49q8.82,8.94,8.82,26.42v66.88H686.54V98q0-18.12-1.63-24.06a16.44,16.44,0,0,0-5.66-9.06,15.8,15.8,0,0,0-10-3.11,18.73,18.73,0,0,0-13.23,5.15Q650.53,72,648.4,81.14q-1.12,4.74-1.12,20.54v40.6H621.89Z"/><path class="cls-1" d="M750.71,3.78H776.1v37.3h15.07V62.93H776.1v79.35H750.71V62.93h-13V41.08h13Z"/><path class="cls-1" d="M826.09-.6a15.55,15.55,0,0,1,11.45,4.84A16.08,16.08,0,0,1,842.31,16a15.87,15.87,0,0,1-4.72,11.58,15.34,15.34,0,0,1-11.32,4.79,15.6,15.6,0,0,1-11.55-4.88A16.35,16.35,0,0,1,810,15.59a15.57,15.57,0,0,1,4.73-11.44A15.53,15.53,0,0,1,826.09-.6Z"/><rect class="cls-1" x="813.39" y="41.08" width="25.39" height="101.2"/><path class="cls-1" d="M873.47,2h25.39V82.8l37.39-41.72h31.89l-43.59,48.5,48.81,52.7H941.83l-43-46.64v46.64H873.47Z"/></svg>
+<?xml version="1.0" encoding="UTF-8"?><svg id="d" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 3064.87 487.37"><defs><symbol id="a" viewBox="0 0 2865.3 437.72"><g style="isolation:isolate;"><path d="M238.73,125.38h76.4v304.5h-76.4v-32.18c-14.91,14.18-29.87,24.4-44.87,30.65-15,6.25-31.26,9.37-48.78,9.37-39.32,0-73.33-15.25-102.04-45.76C14.35,361.45,0,323.53,0,278.19s13.89-85.54,41.65-115.58c27.77-30.04,61.5-45.06,101.19-45.06,18.26,0,35.4,3.45,51.43,10.35,16.03,6.91,30.84,17.26,44.45,31.07v-33.58ZM158.41,188.07c-23.62,0-43.24,8.35-58.86,25.05-15.62,16.7-23.43,38.11-23.43,64.23s7.95,47.96,23.84,64.93c15.9,16.98,35.47,25.47,58.72,25.47s43.89-8.35,59.69-25.05c15.8-16.7,23.71-38.57,23.71-65.63s-7.9-47.95-23.71-64.37c-15.81-16.42-35.8-24.63-59.97-24.63Z" style="fill:#fd4b2d;"/><path d="M403.16,125.38h77.24v146.65c0,28.55,1.96,48.37,5.89,59.47,3.93,11.1,10.24,19.73,18.94,25.89,8.69,6.16,19.4,9.24,32.12,9.24s23.52-3.03,32.4-9.1c8.88-6.06,15.47-14.97,19.78-26.73,3.18-8.77,4.77-27.52,4.77-56.25V125.38h76.41v129.02c0,53.18-4.2,89.56-12.59,109.15-10.26,23.88-25.38,42.22-45.34,54.99-19.97,12.78-45.34,19.17-76.13,19.17-33.4,0-60.41-7.46-81.02-22.39-20.62-14.92-35.13-35.73-43.52-62.41-5.97-18.47-8.96-52.06-8.96-100.75v-126.78Z" style="fill:#fd4b2d;"/><path d="M796.76,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M999.76,7.84h75.85v148.33c14.93-12.88,29.95-22.53,45.06-28.97,15.11-6.44,30.41-9.65,45.9-9.65,30.23,0,55.7,10.45,76.41,31.34,17.73,18.1,26.59,44.69,26.59,79.76v201.23h-75.29v-133.5c0-35.27-1.68-59.15-5.04-71.65-3.36-12.5-9.09-21.83-17.21-27.99-8.12-6.15-18.15-9.23-30.09-9.23-15.49,0-28.78,5.13-39.88,15.39-11.11,10.26-18.8,24.26-23.09,41.98-2.24,9.14-3.36,30.04-3.36,62.69v122.3h-75.85V7.84Z" style="fill:#fd4b2d;"/><path d="M1688.63,299.74h-245.45c3.54,21.65,13.01,38.86,28.41,51.64,15.39,12.78,35.03,19.17,58.91,19.17,28.55,0,53.08-9.98,73.6-29.95l64.37,30.23c-16.05,22.77-35.26,39.6-57.65,50.52-22.39,10.91-48.98,16.37-79.76,16.37-47.77,0-86.67-15.06-116.71-45.2-30.04-30.13-45.06-67.87-45.06-113.21s14.97-85.03,44.92-115.73c29.95-30.69,67.49-46.04,112.65-46.04,47.95,0,86.95,15.35,116.99,46.04,30.04,30.69,45.06,71.23,45.06,121.61l-.28,14.55ZM1612.22,239.57c-5.05-16.98-15-30.79-29.86-41.42-14.86-10.63-32.1-15.95-51.72-15.95-21.3,0-40,5.98-56.07,17.91-10.09,7.47-19.44,20.62-28.03,39.46h165.68Z" style="fill:#fd4b2d;"/><path d="M1790.6,125.38h76.41v31.21c17.33-14.61,33.02-24.77,47.09-30.48,14.06-5.71,28.46-8.57,43.18-8.57,30.18,0,55.8,10.54,76.85,31.62,17.7,17.91,26.55,44.41,26.55,79.48v201.23h-75.57v-133.35c0-36.34-1.63-60.47-4.89-72.4-3.26-11.93-8.93-21.01-17.03-27.26-8.1-6.24-18.1-9.36-30.01-9.36-15.45,0-28.71,5.17-39.78,15.51-11.08,10.35-18.76,24.65-23.04,42.91-2.24,9.5-3.35,30.1-3.35,61.78v122.16h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2183.92,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M2416.46,0c13.39,0,24.88,4.85,34.46,14.55,9.58,9.7,14.38,21.46,14.38,35.27s-4.75,25.24-14.24,34.84c-9.49,9.61-20.84,14.41-34.04,14.41s-25.16-4.9-34.75-14.69c-9.58-9.79-14.37-21.69-14.37-35.68s4.74-24.91,14.23-34.43c9.49-9.51,20.93-14.27,34.33-14.27ZM2378.26,125.38h76.41v304.5h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2564.75,7.84h76.41v243.09l112.51-125.54h95.96l-131.17,145.94,146.86,158.56h-94.85l-129.3-140.34v140.34h-76.41V7.84Z" style="fill:#fd4b2d;"/></g></symbol></defs><use width="2865.3" height="437.72" transform="translate(99.78 24.83)" xlink:href="#a"/></svg>
--- a/web/icons/icon.png
+++ b/web/icons/icon.png
--- a/web/icons/icon.svg
+++ b/web/icons/icon.svg
@@ -1 +1 @@
-<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 1000"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><rect class="cls-1" x="546.66" y="275.34" width="34.99" height="99.97"/><rect class="cls-1" x="637.66" y="271.13" width="34.99" height="78.19"/><path class="cls-1" d="M127.64,385.31a127.57,127.57,0,0,0-112.13,66.9H74.82c26.27-22.67,64.42-29.28,92,0h62.8C205.11,419.06,168.36,385.31,127.64,385.31Z"/><path class="cls-1" d="M212.39,512.53C130.55,683.65-12.89,537.81,74.82,452.21H15.51C-31,533.33,33.3,642.73,127.64,640.24c73,0,133.2-108.3,133.2-127.46,0-8.47-11.78-34.33-31.2-60.57h-62.8C187.65,471.08,205.81,498.56,212.39,512.53Zm2.17-5h0Z"/><path class="cls-1" d="M999.94,274.11V725.89c0,86.58-70.42,157.06-157.05,157.06H776.22V729.12H457.88V883H391.22c-86.64,0-157.06-70.48-157.06-157.06V583.81H738.87V312.11H495.24V464.76H234.16V274.11a151.29,151.29,0,0,1,1.06-18,154.4,154.4,0,0,1,3.88-21.15c.58-2.23,1.23-4.46,1.88-6.64a13.66,13.66,0,0,1,.52-1.64c.36-1.12.71-2.17,1.06-3.23s.76-2.17,1.18-3.23c.47-1.23.88-2.41,1.35-3.58s1-2.35,1.47-3.53a159,159,0,0,1,14.27-26.49c.06-.06.12-.17.17-.23,1.41-2.06,2.88-4.11,4.41-6.17,1.29-1.7,2.58-3.35,3.88-5,1.52-1.82,3.11-3.7,4.69-5.46s3.12-3.47,4.76-5.11l.18-.18a36.53,36.53,0,0,1,2.64-2.64,159.75,159.75,0,0,1,18.68-15.63c1.76-1.29,3.64-2.52,5.52-3.76,2.11-1.35,4.23-2.64,6.4-3.93,4.11-2.41,8.28-4.64,12.63-6.64,1.35-.64,2.76-1.29,4.11-1.88a152.81,152.81,0,0,1,18.38-6.63c2.41-.71,4.82-1.35,7.29-1.94,1.17-.3,2.35-.59,3.58-.82a158.5,158.5,0,0,1,21.26-3.12l3.12-.17c.52,0,1-.06,1.52-.06,2.35-.12,4.76-.18,7.17-.18H842.89c2.4,0,4.81.06,7.16.18.53,0,1,.06,1.53.06l3.11.17A158.26,158.26,0,0,1,876,120.58c1.24.23,2.41.52,3.59.82,2.46.59,4.87,1.23,7.28,1.94A152.81,152.81,0,0,1,905.2,130c1.35.59,2.76,1.24,4.11,1.88,4.35,2,8.52,4.23,12.63,6.64,2.18,1.29,4.29,2.58,6.4,3.93,1.88,1.24,3.76,2.47,5.52,3.76a157.53,157.53,0,0,1,21.5,18.45c1.65,1.64,3.23,3.34,4.76,5.11s3.17,3.64,4.7,5.46c1.29,1.64,2.58,3.29,3.87,5,1.53,2.06,3,4.11,4.41,6.17.06.06.12.17.18.23a159.71,159.71,0,0,1,14.27,26.49c.47,1.18,1,2.35,1.47,3.53s.88,2.35,1.35,3.58c.41,1.06.82,2.11,1.17,3.23s.71,2.11,1.06,3.23a15.74,15.74,0,0,1,.53,1.64c.64,2.18,1.29,4.41,1.88,6.64a155.92,155.92,0,0,1,3.87,21.15A151.29,151.29,0,0,1,999.94,274.11Z"/><path class="cls-1" d="M973.27,186.59H260.84A157.05,157.05,0,0,1,391.2,117.07H842.9A157.08,157.08,0,0,1,973.27,186.59Z"/><path class="cls-1" d="M998.94,256.1H235.16a155.35,155.35,0,0,1,25.68-69.51H973.27A155.34,155.34,0,0,1,998.94,256.1Z"/><path class="cls-1" d="M1000,274.11v51.51H738.87V312.11H495.24v13.51H234.1V274.11a153.41,153.41,0,0,1,1.06-18H998.94A151.29,151.29,0,0,1,1000,274.11Z"/><rect class="cls-1" x="234.1" y="325.62" width="261.13" height="69.54"/><rect class="cls-1" x="738.87" y="325.62" width="261.13" height="69.54"/><rect class="cls-1" x="234.1" y="395.16" width="261.13" height="69.48"/><rect class="cls-1" x="738.87" y="395.16" width="261.13" height="69.48"/></svg>
+<?xml version="1.0" encoding="UTF-8"?><svg id="c" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1000 1000"><defs><symbol id="a" viewBox="0 0 998.94 763.82"><path d="M829.67,0h-425.28c-93.1,0-169.27,76.17-169.27,169.27v425.28c0,93.1,76.17,169.27,169.27,169.27h50.18v-165.68h324.96v165.68h50.14c93.1,0,169.27-76.17,169.27-169.27V169.27C998.94,76.17,922.77,0,829.67,0ZM755.98,463.53H235.4v-114.49h268.96v-158.97h43.68v94.7h25.61v-94.7h30.88v69.64h25.61v-69.64h30.88v116.35h25.61v-116.35h43.68v158.97h25.69v114.49Z" style="fill:#fd4b2d;"/><g id="b"><path d="M237.36,342.19h-.02c-25.34-34.27-63.32-69.15-105.42-69.15-48.4.03-92.89,26.58-115.91,69.15-48.08,83.85,18.39,196.94,115.91,194.36,75.46,0,137.69-111.95,137.69-131.75,0-8.76-12.18-35.49-32.25-62.61ZM77.32,342.19c27.16-23.43,66.59-30.27,95.1,0h.02c21.51,19.51,40.28,47.91,47.08,62.35-84.6,176.88-232.87,26.13-142.2-62.35Z" style="fill:#fd4b2d;"/></g></symbol></defs><use width="998.94" height="763.82" transform="translate(1 117.03)" xlink:href="#a"/></svg>
--- a/web/icons/icon_christmas.png
+++ b/web/icons/icon_christmas.png
--- a/web/icons/icon_discord.png
+++ b/web/icons/icon_discord.png
--- a/web/icons/icon_left_brand.png
+++ b/web/icons/icon_left_brand.png
--- a/web/icons/icon_left_brand.svg
+++ b/web/icons/icon_left_brand.svg
@@ -1 +1 @@
-<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 994.71 151.65"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M284.72,50.4H305.5v82.84H284.72v-8.76a40.79,40.79,0,0,1-12.21,8.34,34.14,34.14,0,0,1-13.27,2.55q-16.05,0-27.76-12.45T219.77,92q0-19.18,11.33-31.45t27.53-12.26a34.94,34.94,0,0,1,14,2.82,38.32,38.32,0,0,1,12.1,8.45ZM262.87,67.45a21,21,0,0,0-16,6.82q-6.37,6.81-6.38,17.47T247,109.4a21,21,0,0,0,16,6.93,21.42,21.42,0,0,0,16.24-6.81q6.45-6.81,6.45-17.86,0-10.8-6.45-17.51A21.71,21.71,0,0,0,262.87,67.45Z"/><path class="cls-1" d="M335.8,50.4h21V90.29q0,11.65,1.6,16.18a14.16,14.16,0,0,0,5.16,7,14.76,14.76,0,0,0,8.74,2.51,15.25,15.25,0,0,0,8.81-2.48,14.49,14.49,0,0,0,5.38-7.27q1.31-3.57,1.3-15.3V50.4h20.79V85.5q0,21.69-3.43,29.69a32.32,32.32,0,0,1-12.33,15q-8.16,5.22-20.71,5.22-13.64,0-22.05-6.09a32.2,32.2,0,0,1-11.84-17q-2.43-7.55-2.43-27.41Z"/><path class="cls-1" d="M441.32,19.86H462.1V50.4h12.34V68.29H462.1v65H441.32V68.29H430.66V50.4h10.66Z"/><path class="cls-1" d="M495,18.42h20.63V58.77a47.41,47.41,0,0,1,12.26-7.88,31.62,31.62,0,0,1,12.49-2.63,28.13,28.13,0,0,1,20.78,8.53q7.23,7.4,7.24,21.7v54.75H547.9V96.92q0-14.4-1.37-19.49a13.6,13.6,0,0,0-4.68-7.62,13.19,13.19,0,0,0-8.18-2.51,15.43,15.43,0,0,0-10.85,4.19,22.14,22.14,0,0,0-6.28,11.42q-.91,3.72-.92,17v33.28H495Z"/><path class="cls-1" d="M680.84,97.83H614.06a22.25,22.25,0,0,0,7.73,14q6.29,5.22,16,5.21a27.7,27.7,0,0,0,20-8.14l17.51,8.22a41.31,41.31,0,0,1-15.68,13.74q-9.13,4.46-21.7,4.46-19.5,0-31.75-12.3T594,92.27q0-19,12.22-31.48t30.65-12.53q19.56,0,31.82,12.53t12.26,33.08ZM660.05,81.46a20.87,20.87,0,0,0-8.12-11.27,23.61,23.61,0,0,0-14.08-4.34,24.88,24.88,0,0,0-15.25,4.88q-4.11,3-7.62,10.73Z"/><path class="cls-1" d="M707,50.4H727.8v8.49a50.15,50.15,0,0,1,12.81-8.3,31.08,31.08,0,0,1,11.75-2.33,28.44,28.44,0,0,1,20.91,8.61q7.22,7.31,7.22,21.62v54.75H759.93V97q0-14.83-1.33-19.7A13.48,13.48,0,0,0,754,69.85a13,13,0,0,0-8.16-2.55A15.32,15.32,0,0,0,735,71.52a22.6,22.6,0,0,0-6.27,11.67q-.9,3.89-.91,16.81v33.24H707Z"/><path class="cls-1" d="M812.46,19.86h20.79V50.4h12.33V68.29H833.25v65H812.46V68.29H801.8V50.4h10.66Z"/><path class="cls-1" d="M874.16,16.29a12.74,12.74,0,0,1,9.38,3.95,13.18,13.18,0,0,1,3.91,9.6,13,13,0,0,1-3.87,9.48,12.6,12.6,0,0,1-9.27,3.92,12.73,12.73,0,0,1-9.45-4A13.39,13.39,0,0,1,861,29.53a12.78,12.78,0,0,1,3.87-9.36A12.71,12.71,0,0,1,874.16,16.29Z"/><rect class="cls-1" x="863.77" y="50.4" width="20.79" height="82.84"/><path class="cls-1" d="M913,18.42h20.78V84.55L964.34,50.4h26.11L954.76,90.1l40,43.14h-25.8L933.73,95.06v38.18H913Z"/><rect class="cls-1" x="107.1" y="34.93" width="6.37" height="18.2"/><rect class="cls-1" x="123.67" y="34.16" width="6.37" height="14.23"/><path class="cls-1" d="M30.83,55A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,78.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/><path class="cls-1" d="M189.62,34.71V117A28.62,28.62,0,0,1,161,145.54H148.89v-28H90.94v28H78.81A28.62,28.62,0,0,1,50.22,117V91.08h91.87V41.62H97.74V69.41H50.22V34.71a27.43,27.43,0,0,1,.19-3.29,27.09,27.09,0,0,1,.71-3.84c.1-.41.22-.82.34-1.21a2.13,2.13,0,0,1,.09-.3c.07-.21.13-.4.2-.59s.14-.4.21-.59.16-.44.25-.65.18-.43.26-.64a29.35,29.35,0,0,1,2.6-4.82l0-.05c.26-.37.53-.75.81-1.12s.47-.61.7-.91.57-.67.86-1,.56-.63.86-.93l0,0a4.53,4.53,0,0,1,.49-.49,29.23,29.23,0,0,1,3.4-2.84c.32-.24.66-.46,1-.68s.77-.49,1.17-.72a23.78,23.78,0,0,1,2.29-1.21l.75-.34a27.84,27.84,0,0,1,3.35-1.21c.44-.13.88-.24,1.33-.35a6.19,6.19,0,0,1,.65-.15,28.86,28.86,0,0,1,3.87-.57l.56,0h.28c.43,0,.87,0,1.31,0H161c.43,0,.87,0,1.3,0h.28l.56,0a29.25,29.25,0,0,1,3.88.57c.22,0,.43.09.65.15.45.11.88.22,1.32.35a27.23,27.23,0,0,1,3.35,1.21l.75.34a25.19,25.19,0,0,1,2.3,1.21c.39.23.78.47,1.16.72s.69.44,1,.68a29.23,29.23,0,0,1,3.91,3.36q.45.45.87.93c.29.32.57.66.85,1l.71.91c.28.37.54.75.8,1.12l0,.05a28.61,28.61,0,0,1,2.6,4.82l.27.64.24.65c.08.19.15.39.22.59l.19.59c0,.09.06.19.1.3.11.39.23.8.34,1.21a28.56,28.56,0,0,1,.7,3.84A27.42,27.42,0,0,1,189.62,34.71Z"/><path class="cls-1" d="M184.76,18.78H55.07A28.59,28.59,0,0,1,78.8,6.12H161A28.59,28.59,0,0,1,184.76,18.78Z"/><path class="cls-1" d="M189.43,31.43H50.4a28.29,28.29,0,0,1,4.67-12.65H184.76A28.17,28.17,0,0,1,189.43,31.43Z"/><path class="cls-1" d="M189.63,34.71v9.37H142.09V41.62H97.74v2.46H50.21V34.71a27.43,27.43,0,0,1,.19-3.29h139A27.42,27.42,0,0,1,189.63,34.71Z"/><rect class="cls-1" x="50.21" y="44.08" width="47.54" height="12.66"/><rect class="cls-1" x="142.09" y="44.08" width="47.54" height="12.66"/><rect class="cls-1" x="50.21" y="56.74" width="47.54" height="12.65"/><rect class="cls-1" x="142.09" y="56.74" width="47.54" height="12.65"/></svg>
+<?xml version="1.0" encoding="UTF-8"?><svg id="i" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 3767.3 592.89"><defs><symbol id="a" viewBox="0 0 998.94 763.82"><path d="M829.67,0h-425.28c-93.1,0-169.27,76.17-169.27,169.27v425.28c0,93.1,76.17,169.27,169.27,169.27h50.18v-165.68h324.96v165.68h50.14c93.1,0,169.27-76.17,169.27-169.27V169.27C998.94,76.17,922.77,0,829.67,0ZM755.98,463.53H235.4v-114.49h268.96v-158.97h43.68v94.7h25.61v-94.7h30.88v69.64h25.61v-69.64h30.88v116.35h25.61v-116.35h43.68v158.97h25.69v114.49Z" style="fill:#fd4b2d;"/><g id="b"><path d="M237.36,342.19h-.02c-25.34-34.27-63.32-69.15-105.42-69.15-48.4.03-92.89,26.58-115.91,69.15-48.08,83.85,18.39,196.94,115.91,194.36,75.46,0,137.69-111.95,137.69-131.75,0-8.76-12.18-35.49-32.25-62.61ZM77.32,342.19c27.16-23.43,66.59-30.27,95.1,0h.02c21.51,19.51,40.28,47.91,47.08,62.35-84.6,176.88-232.87,26.13-142.2-62.35Z" style="fill:#fd4b2d;"/></g></symbol><symbol id="c" viewBox="0 0 2865.3 437.72"><g style="isolation:isolate;"><path d="M238.73,125.38h76.4v304.5h-76.4v-32.18c-14.91,14.18-29.87,24.4-44.87,30.65-15,6.25-31.26,9.37-48.78,9.37-39.32,0-73.33-15.25-102.04-45.76C14.35,361.45,0,323.53,0,278.19s13.89-85.54,41.65-115.58c27.77-30.04,61.5-45.06,101.19-45.06,18.26,0,35.4,3.45,51.43,10.35,16.03,6.91,30.84,17.26,44.45,31.07v-33.58ZM158.41,188.07c-23.62,0-43.24,8.35-58.86,25.05-15.62,16.7-23.43,38.11-23.43,64.23s7.95,47.96,23.84,64.93c15.9,16.98,35.47,25.47,58.72,25.47s43.89-8.35,59.69-25.05c15.8-16.7,23.71-38.57,23.71-65.63s-7.9-47.95-23.71-64.37c-15.81-16.42-35.8-24.63-59.97-24.63Z" style="fill:#fd4b2d;"/><path d="M403.16,125.38h77.24v146.65c0,28.55,1.96,48.37,5.89,59.47,3.93,11.1,10.24,19.73,18.94,25.89,8.69,6.16,19.4,9.24,32.12,9.24s23.52-3.03,32.4-9.1c8.88-6.06,15.47-14.97,19.78-26.73,3.18-8.77,4.77-27.52,4.77-56.25V125.38h76.41v129.02c0,53.18-4.2,89.56-12.59,109.15-10.26,23.88-25.38,42.22-45.34,54.99-19.97,12.78-45.34,19.17-76.13,19.17-33.4,0-60.41-7.46-81.02-22.39-20.62-14.92-35.13-35.73-43.52-62.41-5.97-18.47-8.96-52.06-8.96-100.75v-126.78Z" style="fill:#fd4b2d;"/><path d="M796.76,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M999.76,7.84h75.85v148.33c14.93-12.88,29.95-22.53,45.06-28.97,15.11-6.44,30.41-9.65,45.9-9.65,30.23,0,55.7,10.45,76.41,31.34,17.73,18.1,26.59,44.69,26.59,79.76v201.23h-75.29v-133.5c0-35.27-1.68-59.15-5.04-71.65-3.36-12.5-9.09-21.83-17.21-27.99-8.12-6.15-18.15-9.23-30.09-9.23-15.49,0-28.78,5.13-39.88,15.39-11.11,10.26-18.8,24.26-23.09,41.98-2.24,9.14-3.36,30.04-3.36,62.69v122.3h-75.85V7.84Z" style="fill:#fd4b2d;"/><path d="M1688.63,299.74h-245.45c3.54,21.65,13.01,38.86,28.41,51.64,15.39,12.78,35.03,19.17,58.91,19.17,28.55,0,53.08-9.98,73.6-29.95l64.37,30.23c-16.05,22.77-35.26,39.6-57.65,50.52-22.39,10.91-48.98,16.37-79.76,16.37-47.77,0-86.67-15.06-116.71-45.2-30.04-30.13-45.06-67.87-45.06-113.21s14.97-85.03,44.92-115.73c29.95-30.69,67.49-46.04,112.65-46.04,47.95,0,86.95,15.35,116.99,46.04,30.04,30.69,45.06,71.23,45.06,121.61l-.28,14.55ZM1612.22,239.57c-5.05-16.98-15-30.79-29.86-41.42-14.86-10.63-32.1-15.95-51.72-15.95-21.3,0-40,5.98-56.07,17.91-10.09,7.47-19.44,20.62-28.03,39.46h165.68Z" style="fill:#fd4b2d;"/><path d="M1790.6,125.38h76.41v31.21c17.33-14.61,33.02-24.77,47.09-30.48,14.06-5.71,28.46-8.57,43.18-8.57,30.18,0,55.8,10.54,76.85,31.62,17.7,17.91,26.55,44.41,26.55,79.48v201.23h-75.57v-133.35c0-36.34-1.63-60.47-4.89-72.4-3.26-11.93-8.93-21.01-17.03-27.26-8.1-6.24-18.1-9.36-30.01-9.36-15.45,0-28.71,5.17-39.78,15.51-11.08,10.35-18.76,24.65-23.04,42.91-2.24,9.5-3.35,30.1-3.35,61.78v122.16h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2183.92,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M2416.46,0c13.39,0,24.88,4.85,34.46,14.55,9.58,9.7,14.38,21.46,14.38,35.27s-4.75,25.24-14.24,34.84c-9.49,9.61-20.84,14.41-34.04,14.41s-25.16-4.9-34.75-14.69c-9.58-9.79-14.37-21.69-14.37-35.68s4.74-24.91,14.23-34.43c9.49-9.51,20.93-14.27,34.33-14.27ZM2378.26,125.38h76.41v304.5h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2564.75,7.84h76.41v243.09l112.51-125.54h95.96l-131.17,145.94,146.86,158.56h-94.85l-129.3-140.34v140.34h-76.41V7.84Z" style="fill:#fd4b2d;"/></g></symbol></defs><use width="998.94" height="763.82" transform="translate(28.54 36.14) scale(.68)" xlink:href="#a"/><use width="2865.3" height="437.72" transform="translate(802.22 67.81)" xlink:href="#c"/></svg>
--- a/web/icons/icon_pride_lgbt.png
+++ b/web/icons/icon_pride_lgbt.png
--- a/web/icons/icon_pride_trans.png
+++ b/web/icons/icon_pride_trans.png
--- a/web/icons/icon_top_brand.png
+++ b/web/icons/icon_top_brand.png
--- a/web/icons/icon_top_brand.svg
+++ b/web/icons/icon_top_brand.svg
--- a/web/logger/browser.js
+++ b/web/logger/browser.js
@@ -63,7 +63,7 @@ const LogLevelColors = /** @type {const} */ ({
 * Creates a logger with the given prefix.
 *
 * @param {string} [prefix]
- * @param {...string} args
+ * @param {...string[]} args
 * @returns {Logger}
 *
 */
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@@ -97,7 +97,7 @@
        "@codemirror/theme-one-dark": "^6.1.3",
        "@eslint/js": "^9.39.3",
        "@floating-ui/dom": "^1.7.6",
-        "@formatjs/intl-listformat": "^8.3.4",
+        "@formatjs/intl-listformat": "^8.3.5",
        "@fortawesome/fontawesome-free": "^7.2.0",
        "@goauthentik/api": "0.0.0",
        "@goauthentik/core": "^1.0.0",
@@ -127,14 +127,15 @@
        "@types/codemirror": "^5.60.17",
        "@types/grecaptcha": "^3.0.9",
        "@types/guacamole-common-js": "^1.5.5",
-        "@types/node": "^25.6.0",
+        "@types/node": "^25.6.2",
        "@types/react": "^19.2.14",
        "@types/react-dom": "^19.2.3",
        "@typescript-eslint/eslint-plugin": "^8.57.2",
        "@typescript-eslint/parser": "^8.57.2",
        "@typescript-eslint/utils": "^8.57.2",
-        "@vitest/browser": "^4.1.5",
-        "@vitest/browser-playwright": "^4.0.15",
+        "@typescript/native-preview": "^7.0.0-dev.20260421.2",
+        "@vitest/browser": "^4.1.6",
+        "@vitest/browser-playwright": "^4.1.6",
        "@webcomponents/webcomponentsjs": "^2.8.0",
        "base64-js": "^1.5.1",
        "change-case": "^5.4.4",
@@ -151,28 +152,28 @@
        "eslint-plugin-lit": "^2.2.1",
        "eslint-plugin-wc": "^3.1.0",
        "fuse.js": "^7.3.0",
-        "globals": "^17.5.0",
+        "globals": "^17.6.0",
        "guacamole-common-js": "^1.5.0",
        "hastscript": "^9.0.1",
-        "knip": "^6.9.0",
+        "knip": "^6.11.0",
        "lex": "^2025.11.0",
        "lit": "^3.3.2",
        "lit-analyzer": "^2.0.3",
        "lit-element": "^4.2.2",
        "lit-html": "^3.3.2",
        "md-front-matter": "^1.0.4",
-        "mermaid": "^11.14.0",
+        "mermaid": "^11.15.0",
        "node-domexception": "^2025.11.0",
        "npm-run-all": "^4.1.5",
        "pino": "^10.3.1",
        "pino-pretty": "^13.1.2",
-        "playwright": "^1.58.2",
+        "playwright": "^1.60.0",
        "prettier": "^3.8.3",
        "prettier-plugin-packagejson": "^3.0.2",
        "pseudolocale": "^2.2.0",
        "rapidoc": "^9.3.8",
-        "react": "^19.2.5",
-        "react-dom": "^19.2.5",
+        "react": "^19.2.6",
+        "react-dom": "^19.2.6",
        "rehype-highlight": "^7.0.2",
        "rehype-mermaid": "^3.0.0",
        "rehype-parse": "^9.0.1",
@@ -183,6 +184,7 @@
        "remark-mdx-frontmatter": "^5.2.0",
        "storybook": "^10.2.1",
        "style-mod": "^4.1.3",
+        "stylelint": "^17.11.0",
        "trusted-types": "^2.0.0",
        "ts-pattern": "^5.9.0",
        "turnstile-types": "^1.2.3",
@@ -190,8 +192,8 @@
        "typescript": "^6.0.3",
        "typescript-eslint": "^8.57.2",
        "unist-util-visit": "^5.1.0",
-        "vite": "^8.0.10",
-        "vitest": "^4.1.1",
+        "vite": "^8.0.12",
+        "vitest": "^4.1.6",
        "webcomponent-qr-code": "^1.3.0",
        "wireit": "^0.14.12",
        "yaml": "^2.8.4"
@@ -202,8 +204,7 @@
        "@esbuild/linux-x64": "^0.28.0",
        "@rollup/rollup-darwin-arm64": "^4.57.1",
        "@rollup/rollup-linux-arm64-gnu": "^4.57.1",
-        "@rollup/rollup-linux-x64-gnu": "^4.57.1",
-        "chromedriver": "^147.0.4"
+        "@rollup/rollup-linux-x64-gnu": "^4.57.1"
    },
    "workspaces": [
        "./packages/*"
@@ -260,10 +261,7 @@
            "command": "lit-analyzer src"
        },
        "lint:types": {
-            "command": "tsc -p .",
-            "env": {
-                "NODE_OPTIONS": "--max_old_space_size=8192"
-            },
+            "command": "tsgo -p .",
            "dependencies": [
                "build-locales"
            ]
@@ -292,10 +290,7 @@
            }
        },
        "tsc": {
-            "command": "tsc -p .",
-            "env": {
-                "NODE_OPTIONS": "--max_old_space_size=8192"
-            },
+            "command": "tsgo -p .",
            "dependencies": [
                "build-locales"
            ]
@@ -332,7 +327,8 @@
            "typescript": "$typescript"
        },
        "@mrmarble/djangoql-completion": {
-            "lex": "$lex"
+            "lex": "$lex",
+            "lodash": "^4.18.1"
        },
        "@typescript-eslint/eslint-plugin": {
            "typescript": "$typescript"
@@ -340,6 +336,9 @@
        "@typescript-eslint/parser": {
            "typescript": "$typescript"
        },
+        "@typescript-eslint/typescript-estree": {
+            "typescript": "$typescript"
+        },
        "@typescript-eslint/utils": {
            "typescript": "$typescript"
        },
@@ -354,6 +353,9 @@
        },
        "typescript-eslint": {
            "typescript": "$typescript"
+        },
+        "wireit": {
+            "brace-expansion": "^1.1.14"
        }
    }
 }
--- a/web/packages/core/package.json
+++ b/web/packages/core/package.json
@@ -45,7 +45,7 @@
    },
    "dependencies": {
        "@goauthentik/tsconfig": "^1.0.9",
-        "@types/node": "^25.6.0",
+        "@types/node": "^25.6.2",
        "@types/semver": "^7.7.1",
        "semver": "^7.7.4",
        "typescript": "^6.0.3"
--- a/web/packages/lex/index.js
+++ b/web/packages/lex/index.js
@@ -25,7 +25,7 @@
 *
 * @callback LexerAction
 * @this {Lexer}
- * @param {...string} match
+ * @param {...string[]} match
 * @returns {Token | Token[] | null | void}
 */

--- a/web/src/admin/sources/saml/SAMLSourceViewPage.ts
+++ b/web/src/admin/sources/saml/SAMLSourceViewPage.ts
@@ -119,7 +119,7 @@ export class SAMLSourceViewPage extends AKElement {
                                        </dt>
                                        <dd class="pf-c-description-list__description">
                                            <div class="pf-c-description-list__text">
-                                                ${this.source.urlIssuer}
+                                                ${this.source.issuer}
                                            </div>
                                        </dd>
                                    </div>
--- a/web/src/admin/users/UserViewPage.ts
+++ b/web/src/admin/users/UserViewPage.ts
@@ -54,7 +54,7 @@ import { ToggleUserActivationButton } from "#admin/users/UserActiveForm";
 import { UserForm } from "#admin/users/UserForm";
 import { UserImpersonateForm } from "#admin/users/UserImpersonateForm";

-import { CapabilitiesEnum, CoreApi, ModelEnum, User } from "@goauthentik/api";
+import { CapabilitiesEnum, CoreApi, ModelEnum, User, UserTypeEnum } from "@goauthentik/api";

 import { msg, str } from "@lit/localize";
 import { css, html, PropertyValues, TemplateResult } from "lit";
@@ -192,7 +192,10 @@ export class UserViewPage extends WithLicenseSummary(
    protected renderActionButtons(user: User) {
        const showImpersonate =
            this.can(CapabilitiesEnum.CanImpersonate) && user.pk !== this.currentUser?.pk;
-        const showLockdown = this.hasEnterpriseLicense && user.pk !== this.currentUser?.pk;
+        const showLockdown =
+            this.hasEnterpriseLicense &&
+            user.pk !== this.currentUser?.pk &&
+            user.type !== UserTypeEnum.InternalServiceAccount;

        const displayName = formatUserDisplayName(user);

--- a/web/src/admin/users/ak-user-wizard.ts
+++ b/web/src/admin/users/ak-user-wizard.ts
@@ -11,6 +11,8 @@ import { CreateWizard } from "#elements/wizard/CreateWizard";
 import { TypeCreateWizardPageLayouts } from "#elements/wizard/TypeCreateWizardPage";
 import { WizardPage } from "#elements/wizard/WizardPage";

+import { ButtonKindLabelRecord } from "#components/ak-wizard/shared";
+
 import { UserForm } from "#admin/users/UserForm";

 import { TypeCreate, UserServiceAccountResponse, UserTypeEnum } from "@goauthentik/api";
@@ -57,7 +59,7 @@ export interface UserWizardState {
 export class ServiceAccountResultPage extends WizardPage<UserWizardState> {
    public static styles: CSSResult[] = [PFForm, PFFormControl];

-    public override headline = msg("Review Credentials");
+    public override headline = msg("View Credentials");

    @state()
    protected result: UserServiceAccountResponse | null = null;
@@ -75,6 +77,10 @@ export class ServiceAccountResultPage extends WizardPage<UserWizardState> {
        this.host.cancelable = false;
    };

+    public formatNextLabel(): SlottedTemplateResult | null {
+        return ButtonKindLabelRecord.close();
+    }
+
    public override nextCallback = async (): Promise<boolean> => true;

    protected override render(): SlottedTemplateResult {
--- a/web/src/components/ak-wizard/WizardStep.ts
+++ b/web/src/components/ak-wizard/WizardStep.ts
@@ -58,9 +58,10 @@ export abstract class WizardStep extends AKElement {

            .pf-c-wizard__main-body {
                display: flex;
-                flex-flow: row wrap;
+                flex-flow: column;

                & > * {
+                    width: 100%;
                    flex: 1 1 auto;
                }
            }
--- a/web/src/elements/ak-drawer/ak-drawer.component.ts
+++ b/web/src/elements/ak-drawer/ak-drawer.component.ts
@@ -1,32 +1,73 @@
-import Style from "./ak-drawer.css";
+import AKDrawer from "./ak-drawer.styles";
+import { DrawerResizeController } from "./drawerResizeController";

-import { AKElement } from "#elements/Base";
-import { classList } from "#elements/directives/class-list";
-
-import { html } from "lit";
+import { html, LitElement, nothing, PropertyValues } from "lit";
 import { property } from "lit/decorators.js";

-import PFDrawer from "@patternfly/patternfly/components/Drawer/drawer.css";
+export class DrawerExpandRequest extends Event {
+    static readonly eventName = "ak-drawer-expand-request";
+    expanded: boolean | null = null;

-export class Drawer extends AKElement {
-    static readonly styles = [PFDrawer, Style];
+    constructor(expanded: boolean | null = null) {
+        super(DrawerExpandRequest.eventName, { bubbles: true, composed: true });
+        this.expanded = expanded;
+    }
+}
+
+export class AkDrawer extends LitElement {
+    static readonly styles = [AKDrawer];
+
+    @property({ type: Boolean })
+    public resizable = false;

    @property({ type: Boolean, reflect: true })
-    public open = false;
+    public expanded = false;

-    render() {
-        const open = [(this.open && "pf-m-expanded") || "pf-m-collapsed"];
+    @property({ type: Boolean, reflect: true })
+    public resizing = false;

+    @property({ type: String, reflect: true })
+    public width = "33";
+
+    private resize = new DrawerResizeController(this);
+
+    onDrawerRequest = (ev: DrawerExpandRequest) => {
+        ev.stopPropagation();
+        this.expanded = ev.expanded === null ? !this.expanded : ev.expanded;
+    };
+
+    constructor() {
+        super();
+        this.addEventListener(DrawerExpandRequest.eventName, this.onDrawerRequest);
+    }
+
+    public override render() {
        return html`
-            <div class="pf-c-page__drawer">
-                <div class="pf-c-drawer ${classList(open)}" id="flow-drawer">
-                    <div class="pf-c-drawer__main">
-                        <div class="pf-c-drawer__content">
-                            <div class="pf-c-drawer__body">
-                                <slot></slot>
-                            </div>
+            <div class="ak-v2-c-drawer" part="drawer">
+                <div class="ak-v2-c-drawer__main" part="drawer-main">
+                    <div class="ak-v2-c-drawer__content" part="drawer-content">
+                        <div class="ak-v2-c-drawer__body" part="drawer-body">
+                            <slot></slot>
                        </div>
-                        <div class="pf-c-drawer__panel pf-m-width-33">
+                    </div>
+                    <div class="ak-v2-c-drawer__panel" part="drawer-panel">
+                        ${this.resizable
+                            ? html` <div
+                                  class="ak-v2-c-drawer__splitter"
+                                  part="drawer-splitter"
+                                  @mousedown=${this.resize.handleMouseDown}
+                                  @keydown=${this.resize.handleKeyDown}
+                                  @touchstart=${this.resize.handleTouchStart}
+                                  role="separator"
+                                  tabindex="0"
+                              >
+                                  <div
+                                      class="ak-v2-c-drawer__splitter-handle"
+                                      aria-hidden="true"
+                                  ></div>
+                              </div>`
+                            : nothing}
+                        <div class="ak-v2-c-drawer__panel-main" part="drawer-panel-main">
                            <slot name="panel"></slot>
                        </div>
                    </div>
@@ -34,4 +75,26 @@ export class Drawer extends AKElement {
            </div>
        `;
    }
+
+    public override updated(changed: PropertyValues<this>) {
+        super.updated(changed);
+
+        // Simulate the behavior of summary/details, another disclosure pattern.
+        const expanded = changed.get("expanded");
+        if (expanded !== undefined) {
+            const expandedMsg = (i: boolean) => (i ? "open" : "closed");
+            this.dispatchEvent(
+                new ToggleEvent("toggle", {
+                    newState: expandedMsg(this.expanded),
+                    oldState: expandedMsg(expanded),
+                }),
+            );
+        }
+    }
+}
+
+declare global {
+    interface GlobalEventHandlersEventMap {
+        [DrawerExpandRequest.eventName]: DrawerExpandRequest;
+    }
 }
--- a/web/src/elements/ak-drawer/ak-drawer.css
+++ b/web/src/elements/ak-drawer/ak-drawer.css
@@ -1,40 +0,0 @@
-slot {
-    display: content;
-}
-
-[data-theme="dark"] {
-    --pf-c-drawer__panel--BackgroundColor: var(--ak-dark-background);
-}
-
-.pf-c-drawer {
-    /* TODO: Revisit this after native <dialog> modals are implemented. */
-    --pf-c-drawer__content--ZIndex: auto;
-}
-
-.pf-c-drawer__body {
-    display: flex;
-    flex-flow: column;
-}
-
-.pf-c-drawer__content {
-    --pf-c-drawer__content--BackgroundColor: transparent;
-}
-
-.pf-c-drawer {
-    .pf-c-drawer__panel {
-        background-color: var(--pf-c-drawer__panel--BackgroundColor);
-
-        transition-behavior: allow-discrete;
-
-        gap: var(--pf-global--spacer--sm);
-
-        @media (width > 768px) {
-            flex-flow: row;
-
-            .pf-c-drawer__panel_content {
-                flex: 1 1 auto;
-                max-width: 33dvw;
-            }
-        }
-    }
-}
--- a/web/src/elements/ak-drawer/ak-drawer.root.css
+++ b/web/src/elements/ak-drawer/ak-drawer.root.css
@@ -0,0 +1,141 @@
+/* ----------- CSS Custom Properties for DRAWER  --------------------------- */
+
+:root {
+    --ak-v2-c-drawer__content--FlexBasis: 100%;
+    --ak-v2-c-drawer__content--BackgroundColor: var(--ak-v2-global--ContentSurface);
+    --ak-v2-c-drawer__content--ZIndex: var(--ak-v2-global--ZIndex--xs, auto);
+    --ak-v2-c-drawer__panel--MinWidth: 50%;
+    --ak-v2-c-drawer__panel--MaxHeight: auto;
+    --ak-v2-c-drawer__panel--ZIndex: var(--ak-v2-global--ZIndex--sm);
+    --ak-v2-c-drawer__panel--BackgroundColor: var(--ak-v2-global--ContentSurface);
+    --ak-v2-c-drawer__panel--TransitionDuration: var(--ak-v2-global--TransitionDuration);
+    --ak-v2-c-drawer__panel--TransitionProperty: margin, transform, box-shadow, flex-basis;
+    --ak-v2-c-drawer__panel--FlexBasis: 100%;
+    --ak-v2-c-drawer__panel--md--FlexBasis--min: 1.5rem;
+    --ak-v2-c-drawer__panel--md--FlexBasis: 50%;
+    --ak-v2-c-drawer__panel--md--FlexBasis--max: 100%;
+    --ak-v2-c-drawer__panel--xl--MinWidth: 28.125rem;
+    --ak-v2-c-drawer__panel--xl--FlexBasis: 28.125rem;
+    --ak-v2-c-drawer--m-panel-bottom__panel--md--MinHeight: 50%;
+    --ak-v2-c-drawer--m-panel-bottom__panel--xl--MinHeight: 18.75rem;
+    --ak-v2-c-drawer--m-panel-bottom__panel--xl--FlexBasis: 18.75rem;
+    --ak-v2-c-drawer__panel--m-resizable--FlexDirection: row;
+    --ak-v2-c-drawer__panel--m-resizable--md--FlexBasis--min: var(
+        --ak-v2-c-drawer__splitter--m-vertical--Width
+    );
+    --ak-v2-c-drawer__panel--m-resizable--MinWidth: 1.5rem;
+    --ak-v2-c-drawer--m-panel-bottom__panel--m-resizable--FlexDirection: column;
+    --ak-v2-c-drawer--m-panel-bottom__panel--m-resizable--md--FlexBasis--min: 1.5rem;
+    --ak-v2-c-drawer--m-panel-bottom__panel--m-resizable--MinHeight: 1.5rem;
+    --ak-v2-c-drawer__splitter--Height: 0.5625rem;
+    --ak-v2-c-drawer__splitter--Width: 100%;
+    --ak-v2-c-drawer__splitter--BackgroundColor: var(--ak-v2-global--ContentSurface);
+    --ak-v2-c-drawer__splitter--Cursor: row-resize;
+    --ak-v2-c-drawer__splitter--m-vertical--Height: 100%;
+    --ak-v2-c-drawer__splitter--m-vertical--Width: 0.5625rem;
+    --ak-v2-c-drawer__splitter--m-vertical--Cursor: col-resize;
+    --ak-v2-c-drawer--m-inline__splitter--focus--OutlineOffset: -0.0625rem;
+    --ak-v2-c-drawer__splitter--after--BorderColor: var(--ak-v2-global--BorderColor--100);
+    --ak-v2-c-drawer__splitter--after--border-width--base: var(--ak-v2-global--BorderWidth--sm);
+    --ak-v2-c-drawer__splitter--after--BorderTopWidth: 0;
+    --ak-v2-c-drawer__splitter--after--BorderRightWidth: var(
+        --ak-v2-c-drawer__splitter--after--border-width--base
+    );
+    --ak-v2-c-drawer__splitter--after--BorderBottomWidth: 0;
+    --ak-v2-c-drawer__splitter--after--BorderLeftWidth: 0;
+    --ak-v2-c-drawer--m-panel-left__splitter--after--BorderLeftWidth: var(
+        --ak-v2-c-drawer__splitter--after--border-width--base
+    );
+    --ak-v2-c-drawer--m-panel-bottom__splitter--after--BorderBottomWidth: var(
+        --ak-v2-c-drawer__splitter--after--border-width--base
+    );
+    --ak-v2-c-drawer--m-inline__splitter--m-vertical--Width: 0.625rem;
+    --ak-v2-c-drawer--m-inline__splitter-handle--Left: 50%;
+    --ak-v2-c-drawer--m-inline__splitter--after--BorderRightWidth: var(
+        --ak-v2-c-drawer__splitter--after--border-width--base
+    );
+    --ak-v2-c-drawer--m-inline__splitter--after--BorderLeftWidth: var(
+        --ak-v2-c-drawer__splitter--after--border-width--base
+    );
+    --ak-v2-c-drawer--m-inline--m-panel-bottom__splitter--Height: 0.625rem;
+    --ak-v2-c-drawer--m-inline--m-panel-bottom__splitter-handle--Top: 50%;
+    --ak-v2-c-drawer--m-inline--m-panel-bottom__splitter--after--BorderTopWidth: var(
+        --ak-v2-c-drawer__splitter--after--border-width--base
+    );
+    --ak-v2-c-drawer__splitter-handle--Top: 50%;
+    --ak-v2-c-drawer__splitter-handle--Left: calc(
+        50% - var(--ak-v2-c-drawer__splitter--after--border-width--base)
+    );
+    --ak-v2-c-drawer--m-panel-left__splitter-handle--Left: 50%;
+    --ak-v2-c-drawer--m-panel-bottom__splitter-handle--Top: calc(
+        50% - var(--ak-v2-c-drawer__splitter--after--border-width--base)
+    );
+    --ak-v2-c-drawer__splitter-handle--after--BorderColor: var(--ak-v2-global--Color--200);
+    --ak-v2-c-drawer__splitter-handle--after--BorderTopWidth: var(--ak-v2-global--BorderWidth--sm);
+    --ak-v2-c-drawer__splitter-handle--after--BorderRightWidth: 0;
+    --ak-v2-c-drawer__splitter-handle--after--BorderBottomWidth: var(
+        --ak-v2-global--BorderWidth--sm
+    );
+    --ak-v2-c-drawer__splitter-handle--after--BorderLeftWidth: 0;
+    --ak-v2-c-drawer__splitter--hover__splitter-handle--after--BorderColor: var(
+        --ak-v2-global--Color--100
+    );
+    --ak-v2-c-drawer__splitter--focus__splitter-handle--after--BorderColor: var(
+        --ak-v2-global--Color--100
+    );
+    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderTopWidth: 0;
+    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderRightWidth: var(
+        --ak-v2-global--BorderWidth--sm
+    );
+    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderBottomWidth: 0;
+    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderLeftWidth: var(
+        --ak-v2-global--BorderWidth--sm
+    );
+    --ak-v2-c-drawer__splitter-handle--after--Width: 0.75rem;
+    --ak-v2-c-drawer__splitter-handle--after--Height: 0.25rem;
+    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--Width: 0.25rem;
+    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--Height: 0.75rem;
+}
+
+@media screen and (min-width: 1200px) {
+    :root {
+        --ak-v2-c-drawer__panel--MinWidth: var(--ak-v2-c-drawer__panel--xl--MinWidth);
+    }
+}
+
+:root {
+    --ak-v2-c-drawer__panel--BoxShadow: none;
+    --ak-v2-c-drawer--m-expanded--m-panel-bottom__panel--BoxShadow: var(
+        --ak-v2-global--BoxShadow--lg-top
+    );
+    --ak-v2-c-drawer--m-expanded__panel--BoxShadow: var(--ak-v2-global--BoxShadow--lg-left);
+}
+
+:root {
+    --ak-v2-c-drawer--m-expanded--m-panel-left__panel--BoxShadow: var(
+        --ak-v2-global--BoxShadow--lg-right
+    );
+}
+
+:root {
+    --ak-v2-c-drawer__panel--after--Width: var(--ak-v2-global--BorderWidth--sm);
+    --ak-v2-c-drawer--m-panel-bottom__panel--after--Height: var(--ak-v2-global--BorderWidth--sm);
+    --ak-v2-c-drawer__panel--after--BackgroundColor: transparent;
+    --ak-v2-c-drawer--m-inline--m-expanded__panel--after--BackgroundColor: var(
+        --ak-v2-global--BorderColor--100
+    );
+    --ak-v2-c-drawer--m-inline__panel--PaddingLeft: var(--ak-v2-c-drawer__panel--after--Width);
+    --ak-v2-c-drawer--m-panel-left--m-inline__panel--PaddingRight: var(
+        --ak-v2-c-drawer__panel--after--Width
+    );
+    --ak-v2-c-drawer--m-panel-bottom--m-inline__panel--PaddingTop: var(
+        --ak-v2-c-drawer__panel--after--Width
+    );
+}
+
+html[data-theme="dark"],
+.ak-t-dark,
+.pf-t-dark {
+    --ak-v2-c-drawer__panel--BackgroundColor: var(--ak-v2-global--ContentSurface);
+    --ak-v2-c-drawer__splitter--BackgroundColor: transparent;
+}
--- a/web/src/elements/ak-drawer/ak-drawer.stories.ts
+++ b/web/src/elements/ak-drawer/ak-drawer.stories.ts
@@ -0,0 +1,151 @@
+import "./ak-drawer";
+
+import { DrawerExpandRequest } from "./ak-drawer.component";
+
+import type { Meta, StoryObj } from "@storybook/web-components-vite";
+
+import { html, TemplateResult } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+const toggle = (e: Event) => {
+    const button = e.target as HTMLButtonElement;
+    button.dispatchEvent(new DrawerExpandRequest());
+};
+
+const contentBlock = html`
+    <div style="padding: 1rem;">
+        <h2>Main Content</h2>
+        <p><button @click=${toggle}>Toggle Drawer</button></p>
+        <p>
+            This is the drawer's main: fill it by inserting slotted content without a slot name.
+            This is the part that stays visible most of the time.
+        </p>
+        <p>
+            Macaroon lollipop croissant sweet biscuit croissant chocolate cake. Cake cake pastry
+            soufflé pudding. Tiramisu lollipop chocolate cake toffee oat cake muffin topping tootsie
+            roll. Carrot cake bonbon chupa chups sugar plum fruitcake. Brownie sweet halvah oat cake
+            cheesecake topping chocolate. Wafer macaroon topping lollipop powder cupcake sugar plum
+            donut. Muffin wafer icing danish jelly-o bonbon. Powder shortbread brownie caramels
+            tootsie roll dragée liquorice. Cake lemon drops powder danish toffee.
+        </p>
+    </div>
+`;
+
+const panelBlock = html`
+    <style>
+        [slot="panel"] {
+            padding: 1rem;
+            background-color: var(--pf-v5-global--BackgroundColor--200, #f0f0f0);
+        }
+    </style>
+    <div slot="panel">
+        <h3>Panel Content</h3>
+        <p>This is the side panel. This is where you put the secondary information.</p>
+        <ul>
+            <li>
+                Seasonal, steamed, con panna and rich ut aged cup decaffeinated single origin con
+                panna bar
+            </li>
+            <li>Skinny mazagran whipped, black iced beans carajillo eu cream</li>
+            <li>Americano pumpkin spice milk ristretto caffeine single shot</li>
+        </ul>
+        <p><button @click=${toggle}>Toggle Drawer</button></p>
+    </div>
+`;
+
+interface DrawerProps {
+    expanded?: boolean;
+    inline?: boolean;
+    static?: boolean;
+    resizable?: boolean;
+    width?: string;
+    position?: string;
+    content?: TemplateResult;
+    panel?: TemplateResult;
+}
+
+const meta = {
+    title: "Components/Drawer",
+    component: "ak-drawer",
+    tags: ["autodocs"],
+    decorators: [
+        (story) =>
+            html`<div style="min-height: 400px; border: 1px solid #d2d2d2; overflow: hidden;">
+                ${story()}
+            </div>`,
+    ],
+    argTypes: {
+        expanded: { control: "boolean" },
+        position: {
+            control: { type: "select" },
+            options: ["right", "left", "bottom"],
+        },
+        inline: { control: "boolean" },
+        static: { control: "boolean" },
+        resizable: { control: "boolean" },
+        width: {
+            control: { type: "select" },
+            options: ["25", "33", "50", "66", "75", "100"],
+        },
+    },
+} satisfies Meta;
+
+export default meta;
+type Story = StoryObj;
+
+const Template: Story = {
+    args: {
+        expanded: false,
+        inline: false,
+        static: false,
+        resizable: false,
+        width: undefined,
+        position: undefined,
+        content: contentBlock,
+        panel: panelBlock,
+    },
+    render: (args) => {
+        return html` <ak-drawer
+            ?expanded=${args.expanded}
+            ?inline=${args.inline}
+            ?resizable=${args.resizable}
+            position=${ifDefined(args.position)}
+            width=${ifDefined(args.width)}
+        >
+            ${args.content} ${args.panel}
+        </ak-drawer>`;
+    },
+};
+
+export const Default: Story = {
+    render: () => html` <ak-drawer> ${contentBlock} ${panelBlock} </ak-drawer> `,
+};
+
+export const story = (args: DrawerProps = {}, name?: string): Story => ({
+    ...Template,
+    ...(name ? { name } : {}),
+    args: {
+        ...Template.args,
+        ...args,
+    },
+});
+
+export const Expanded: Story = story({ expanded: true });
+
+export const PanelLeft: Story = story({ expanded: true, position: "left" });
+
+export const PanelBottom = story({ expanded: true, position: "bottom" });
+
+export const Inline = story({ expanded: true, inline: true });
+
+export const Static = story({ expanded: true, static: true });
+
+export const Resizable = story({ expanded: true, resizable: true });
+
+export const ResizableLeft = story({ expanded: true, resizable: true, position: "left" });
+
+export const ResizableBottom = story({ expanded: true, resizable: true, position: "bottom" });
+
+export const CustomWidth = story({ expanded: true, width: "33" });
+
+export const ResponsiveWidth = story({ expanded: true, width: "75-on-xl" });
--- a/web/src/elements/ak-drawer/ak-drawer.styles.ts
+++ b/web/src/elements/ak-drawer/ak-drawer.styles.ts
@@ -0,0 +1,914 @@
+import { css } from "lit";
+
+export const styles = css`
+    :host {
+        display: flex;
+        flex-direction: column;
+        height: 100%;
+    }
+
+    .ak-v2-c-drawer {
+        display: flex;
+        flex-direction: column;
+        height: 100%;
+        overflow-x: hidden;
+    }
+
+    :host([position="bottom"]) .ak-v2-c-drawer {
+        overflow-x: auto;
+        overflow-y: hidden;
+    }
+
+    slot {
+        display: contents;
+    }
+
+    :host([inline]:not([no-border])) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel,
+    :host([inline]:not([resizable])) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel,
+    :host([static]:not([no-border])) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel,
+    :host([static]:not([resizable])) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        padding-inline-start: var(--ak-v2-c-drawer--m-inline__panel--PaddingLeft);
+    }
+
+    :host([position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        order: 0;
+        margin-inline-end: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateX(-100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([position="left"])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(-100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content {
+        order: 1;
+    }
+
+    :host([position="bottom"]) .ak-v2-c-drawer__main {
+        flex-direction: column;
+    }
+
+    :host(:not([inline], [static])) .ak-v2-c-drawer__main {
+        position: relative;
+    }
+
+    :host(:not([inline], [static])) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        position: absolute;
+        inset-block-start: 0;
+        inset-block-end: 0;
+        inset-inline-end: 0;
+        max-width: var(--ak-v2-c-drawer__panel--FlexBasis);
+        transform: translateX(100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host(:not([inline], [static]))
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([expanded]:not([inline], [static])) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    :host([position="left"]:not([inline], [static]))
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        inset-inline-end: auto;
+        inset-inline-start: 0;
+        transform: translateX(-100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([position="left"]:not([inline], [static]))
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(-100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([expanded][position="left"]:not([inline], [static]))
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    :host([position="bottom"]:not([inline], [static]))
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        inset-inline-end: 0;
+        inset-inline-start: 0;
+        inset-block-start: auto;
+        inset-block-end: 0;
+        max-width: none;
+        max-height: var(--ak-v2-c-drawer__panel--FlexBasis);
+        transform: translateY(100%);
+    }
+
+    :host([position="bottom"][expanded]:not([inline], [static]))
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateY(0);
+    }
+
+    :host([class*="pf-m-resizing"]) {
+        --ak-v2-c-drawer__panel--TransitionProperty: none;
+        pointer-events: none;
+    }
+
+    :host([class*="pf-m-resizing"]) .ak-v2-c-drawer__splitter {
+        pointer-events: auto;
+    }
+
+    .ak-v2-c-drawer__main {
+        display: flex;
+        flex: 1;
+        overflow: hidden;
+    }
+
+    .ak-v2-c-drawer__content,
+    .ak-v2-c-drawer__panel,
+    .ak-v2-c-drawer__panel-main {
+        display: flex;
+        flex-direction: column;
+        flex-shrink: 0;
+        overflow: auto;
+        --ak-v2-c-drawer__content--BackgroundColor: transparent;
+    }
+
+    .ak-v2-c-drawer__content {
+        z-index: var(--ak-v2-c-drawer__content--ZIndex);
+        flex-basis: var(--ak-v2-c-drawer__content--FlexBasis);
+        order: 0;
+        background-color: var(--ak-v2-c-drawer__content--BackgroundColor);
+    }
+
+    .ak-v2-c-drawer__panel {
+        position: relative;
+        z-index: var(--ak-v2-c-drawer__panel--ZIndex);
+        flex-basis: var(--ak-v2-c-drawer__panel--FlexBasis);
+        order: 1;
+        max-height: var(--ak-v2-c-drawer__panel--MaxHeight);
+        gap: var(--ak-v2-global--spacer--sm);
+        overflow: auto;
+        background-color: var(--ak-v2-c-drawer__panel--BackgroundColor);
+        box-shadow: var(--ak-v2-c-drawer__panel--BoxShadow);
+        transition-duration: var(--ak-v2-c-drawer__panel--TransitionDuration);
+        transition-property: var(--ak-v2-c-drawer__panel--TransitionProperty);
+        transition-behavior: allow-discrete;
+        -webkit-overflow-scrolling: touch;
+    }
+
+    .ak-v2-c-drawer__panel::after {
+        position: absolute;
+        inset-block-start: 0;
+        inset-inline-start: 0;
+        width: var(--ak-v2-c-drawer__panel--after--Width);
+        height: 100%;
+        content: "";
+        background-color: var(--ak-v2-c-drawer__panel--after--BackgroundColor);
+    }
+
+    @media screen and (min-width: 768px) {
+        .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer__panel--FlexBasis: max(
+                var(--ak-v2-c-drawer__panel--md--FlexBasis--min),
+                min(
+                    var(--ak-v2-c-drawer__panel--md--FlexBasis),
+                    var(--ak-v2-c-drawer__panel--md--FlexBasis--max)
+                )
+            );
+        }
+    }
+
+    @media screen and (min-width: 1200px) {
+        :host(:not([width])) .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer__panel--md--FlexBasis: var(--ak-v2-c-drawer__panel--xl--FlexBasis);
+        }
+    }
+
+    @media screen and (min-width: 1200px) {
+        :host([position="bottom"]) .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer__panel--md--FlexBasis: var(
+                --ak-v2-c-drawer--m-panel-bottom__panel--xl--FlexBasis
+            );
+        }
+    }
+
+    :where(
+            :host(:not([position])),
+            :host([position="left"]),
+            :host([position="right"]),
+            :host([position="start"]),
+            :host([position="end"])
+        )
+        .ak-v2-c-drawer__splitter {
+        --ak-v2-c-drawer__splitter--Height: var(--ak-v2-c-drawer__splitter--m-vertical--Height);
+        --ak-v2-c-drawer__splitter--Width: var(--ak-v2-c-drawer__splitter--m-vertical--Width);
+        --ak-v2-c-drawer__splitter--Cursor: var(--ak-v2-c-drawer__splitter--m-vertical--Cursor);
+        --ak-v2-c-drawer__splitter-handle--after--Width: var(
+            --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--Width
+        );
+        --ak-v2-c-drawer__splitter-handle--after--Height: var(
+            --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--Height
+        );
+        --ak-v2-c-drawer__splitter-handle--after--BorderTopWidth: var(
+            --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderTopWidth
+        );
+        --ak-v2-c-drawer__splitter-handle--after--BorderRightWidth: var(
+            --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderRightWidth
+        );
+        --ak-v2-c-drawer__splitter-handle--after--BorderBottomWidth: var(
+            --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderBottomWidth
+        );
+        --ak-v2-c-drawer__splitter-handle--after--BorderLeftWidth: var(
+            --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderLeftWidth
+        );
+    }
+
+    .ak-v2-c-drawer__splitter {
+        position: relative;
+        display: none;
+        width: var(--ak-v2-c-drawer__splitter--Width);
+        height: var(--ak-v2-c-drawer__splitter--Height);
+        cursor: var(--ak-v2-c-drawer__splitter--Cursor);
+        background-color: var(--ak-v2-c-drawer__splitter--BackgroundColor);
+    }
+
+    .ak-v2-c-drawer__splitter:hover {
+        --ak-v2-c-drawer__splitter-handle--after--BorderColor: var(
+            --ak-v2-c-drawer__splitter--hover__splitter-handle--after--BorderColor
+        );
+    }
+
+    .ak-v2-c-drawer__splitter:focus {
+        --ak-v2-c-drawer__splitter-handle--after--BorderColor: var(
+            --ak-v2-c-drawer__splitter--focus__splitter-handle--after--BorderColor
+        );
+    }
+
+    .ak-v2-c-drawer__splitter::after {
+        position: absolute;
+        inset-block-start: 0;
+        inset-block-end: 0;
+        inset-inline-start: 0;
+        inset-inline-end: 0;
+        content: "";
+        border: solid var(--ak-v2-c-drawer__splitter--after--BorderColor);
+        border-block-start-width: var(--ak-v2-c-drawer__splitter--after--BorderTopWidth);
+        border-block-end-width: var(--ak-v2-c-drawer__splitter--after--BorderBottomWidth);
+        border-inline-start-width: var(--ak-v2-c-drawer__splitter--after--BorderLeftWidth);
+        border-inline-end-width: var(--ak-v2-c-drawer__splitter--after--BorderRightWidth);
+    }
+
+    .ak-v2-c-drawer__splitter-handle {
+        position: absolute;
+        inset-block-start: var(--ak-v2-c-drawer__splitter-handle--Top);
+        inset-inline-start: var(--ak-v2-c-drawer__splitter-handle--Left);
+        transform: translate(-50%, -50%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"]) .ak-v2-c-drawer__splitter-handle {
+        transform: translate(calc(-50% * var(--ak-v2-global--inverse--multiplier)), -50%);
+    }
+
+    .ak-v2-c-drawer__splitter-handle::after {
+        display: block;
+        width: var(--ak-v2-c-drawer__splitter-handle--after--Width);
+        height: var(--ak-v2-c-drawer__splitter-handle--after--Height);
+        content: "";
+        border-color: var(--ak-v2-c-drawer__splitter-handle--after--BorderColor);
+        border-style: solid;
+        border-block-start-width: var(--ak-v2-c-drawer__splitter-handle--after--BorderTopWidth);
+        border-block-end-width: var(--ak-v2-c-drawer__splitter-handle--after--BorderBottomWidth);
+        border-inline-start-width: var(--ak-v2-c-drawer__splitter-handle--after--BorderLeftWidth);
+        border-inline-end-width: var(--ak-v2-c-drawer__splitter-handle--after--BorderRightWidth);
+    }
+
+    @media screen and (min-width: 768px) {
+        :host {
+            min-width: var(--ak-v2-c-drawer__panel--MinWidth);
+        }
+
+        :host([expanded]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+            box-shadow: var(--ak-v2-c-drawer--m-expanded__panel--BoxShadow);
+        }
+
+        :host([expanded][resizable]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer__panel--md--FlexBasis--min: var(
+                --ak-v2-c-drawer__panel--m-resizable--md--FlexBasis--min
+            );
+            flex-direction: var(--ak-v2-c-drawer__panel--m-resizable--FlexDirection);
+            min-width: var(--ak-v2-c-drawer__panel--m-resizable--MinWidth);
+        }
+
+        :host([expanded][resizable]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel::after {
+            width: 0;
+            height: 0;
+        }
+
+        :host([expanded][resizable])
+            .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel
+            > .ak-v2-c-drawer__splitter {
+            flex-shrink: 0;
+        }
+
+        :host([expanded][resizable])
+            .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel
+            > .ak-v2-c-drawer__panel-main {
+            flex-shrink: 1;
+        }
+
+        :host([position="left"]) {
+            --ak-v2-c-drawer--m-expanded__panel--BoxShadow: var(
+                --ak-v2-c-drawer--m-expanded--m-panel-left__panel--BoxShadow
+            );
+        }
+
+        :host([position="left"][inline])
+            > .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel:not(.pf-m-no-border, .pf-m-resizable),
+        :host([position="left"][static])
+            > .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel:not(.pf-m-no-border, .pf-m-resizable) {
+            padding-inline-start: 0;
+            padding-inline-end: var(--ak-v2-c-drawer--m-panel-left--m-inline__panel--PaddingRight);
+        }
+
+        :host([position="left"][expanded]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+            transform: translateX(0);
+        }
+
+        :host([position="left"][expanded]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel::after {
+            inset-inline-start: auto;
+            inset-inline-end: 0;
+        }
+
+        :host([position="left"][expanded][resizable])
+            .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel
+            > .ak-v2-c-drawer__splitter {
+            --ak-v2-c-drawer__splitter-handle--Left: var(
+                --ak-v2-c-drawer--m-panel-left__splitter-handle--Left
+            );
+            --ak-v2-c-drawer__splitter--after--BorderRightWidth: 0;
+            --ak-v2-c-drawer__splitter--after--BorderLeftWidth: var(
+                --ak-v2-c-drawer--m-panel-left__splitter--after--BorderLeftWidth
+            );
+            order: 1;
+        }
+
+        :host([position="bottom"]) {
+            --ak-v2-c-drawer--m-expanded__panel--BoxShadow: var(
+                --ak-v2-c-drawer--m-expanded--m-panel-bottom__panel--BoxShadow
+            );
+            --ak-v2-c-drawer__panel--MaxHeight: 100%;
+            --ak-v2-c-drawer__panel--FlexBasis--min: var(
+                --ak-v2-c-drawer--m-panel-bottom__panel--FlexBasis--min
+            );
+            min-width: auto;
+            min-height: var(--ak-v2-c-drawer--m-panel-bottom__panel--md--MinHeight);
+        }
+
+        :host([position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel::after {
+            inset-block-start: 0;
+            inset-inline-start: auto;
+            width: 100%;
+            height: var(--ak-v2-c-drawer--m-panel-bottom__panel--after--Height);
+        }
+
+        :host([position="bottom"][resizable]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer__panel--md--FlexBasis--min: var(
+                --ak-v2-c-drawer--m-panel-bottom__panel--m-resizable--md--FlexBasis--min
+            );
+            --ak-v2-c-drawer__panel--m-resizable--FlexDirection: var(
+                --ak-v2-c-drawer--m-panel-bottom__panel--m-resizable--FlexDirection
+            );
+            --ak-v2-c-drawer__panel--m-resizable--MinWidth: 0;
+            min-height: var(--ak-v2-c-drawer--m-panel-bottom__panel--m-resizable--MinHeight);
+        }
+
+        :host([position="bottom"][resizable])
+            .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel
+            > .ak-v2-c-drawer__splitter {
+            --ak-v2-c-drawer__splitter-handle--Top: var(
+                --ak-v2-c-drawer--m-panel-bottom__splitter-handle--Top
+            );
+            --ak-v2-c-drawer__splitter--after--BorderRightWidth: 0;
+            --ak-v2-c-drawer__splitter--after--BorderBottomWidth: var(
+                --ak-v2-c-drawer--m-panel-bottom__splitter--after--BorderBottomWidth
+            );
+        }
+
+        :host([position="left"][inline]:not([no-border], [resizable]))
+            .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel:not(.pf-m-no-border, .pf-m-resizable),
+        :host([position="left"][static]:not([no-border], [resizable]))
+            .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel:not(.pf-m-no-border, .pf-m-resizable) {
+            padding-inline-start: 0;
+            padding-inline-end: var(--ak-v2-c-drawer--m-panel-left--m-inline__panel--PaddingRight);
+        }
+
+        :host([inline][resizable])
+            .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel
+            > .ak-v2-c-drawer__splitter {
+            --ak-v2-c-drawer__splitter--m-vertical--Width: var(
+                --ak-v2-c-drawer--m-inline__splitter--m-vertical--Width
+            );
+            --ak-v2-c-drawer__splitter-handle--Left: var(
+                --ak-v2-c-drawer--m-inline__splitter-handle--Left
+            );
+            --ak-v2-c-drawer__splitter--after--BorderRightWidth: var(
+                --ak-v2-c-drawer--m-inline__splitter--after--BorderRightWidth
+            );
+            --ak-v2-c-drawer__splitter--after--BorderLeftWidth: var(
+                --ak-v2-c-drawer--m-inline__splitter--after--BorderLeftWidth
+            );
+            outline-offset: var(--ak-v2-c-drawer--m-inline__splitter--focus--OutlineOffset);
+        }
+
+        :host([position="bottom"][inline][resizable])
+            .ak-v2-c-drawer__main
+            > .ak-v2-c-drawer__panel
+            > .ak-v2-c-drawer__splitter {
+            --ak-v2-c-drawer__splitter--Height: var(
+                --ak-v2-c-drawer--m-inline--m-panel-bottom__splitter--Height
+            );
+            --ak-v2-c-drawer__splitter-handle--Top: var(
+                --ak-v2-c-drawer--m-inline--m-panel-bottom__splitter-handle--Top
+            );
+            --ak-v2-c-drawer__splitter--after--BorderTopWidth: var(
+                --ak-v2-c-drawer--m-inline--m-panel-bottom__splitter--after--BorderTopWidth
+            );
+            --ak-v2-c-drawer__splitter--after--BorderRightWidth: 0;
+            --ak-v2-c-drawer__splitter--after--BorderLeftWidth: 0;
+        }
+
+        :host([no-panel-border]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer--m-expanded__panel--BoxShadow: none;
+        }
+
+        .ak-v2-c-drawer__splitter {
+            display: block;
+        }
+    }
+
+    @media (min-width: 768px) {
+        :host([width="25"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 25%;
+        }
+
+        :host([width="33"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 33%;
+        }
+
+        :host([width="50"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 50%;
+        }
+
+        :host([width="66"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 66%;
+        }
+
+        :host([width="75"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 75%;
+        }
+
+        :host([width="100"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 100%;
+        }
+    }
+
+    @media (min-width: 992px) {
+        :host([width="25-on-lg"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 25%;
+        }
+
+        :host([width="33-on-lg"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 33%;
+        }
+
+        :host([width="50-on-lg"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 50%;
+        }
+
+        :host([width="66-on-lg"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 66%;
+        }
+
+        :host([width="75-on-lg"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 75%;
+        }
+
+        :host([width="100-on-lg"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 100%;
+        }
+    }
+
+    @media (min-width: 1200px) {
+        :host([width="25-on-xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 25%;
+        }
+
+        :host([width="33-on-xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 33%;
+        }
+
+        :host([width="50-on-xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 50%;
+        }
+
+        :host([width="66-on-xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 66%;
+        }
+
+        :host([width="75-on-xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 75%;
+        }
+
+        :host([width="100-on-xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 100%;
+        }
+    }
+
+    @media (min-width: 1450px) {
+        :host([width="25-on-2xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 25%;
+        }
+
+        :host([width="33-on-2xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 33%;
+        }
+
+        :host([width="50-on-2xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 50%;
+        }
+
+        :host([width="66-on-2xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 66%;
+        }
+
+        :host([width="75-on-2xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 75%;
+        }
+
+        :host([width="100-on-2xl"]) {
+            --ak-v2-c-drawer__panel--md--FlexBasis: 100%;
+        }
+    }
+
+    @media (min-width: 768px) {
+        :host([inline]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content,
+        :host([static]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content {
+            flex-shrink: 1;
+        }
+
+        :host([inline]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel,
+        :host([static]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer--m-expanded__panel--BoxShadow: none;
+        }
+
+        :host([inline]:not([no-border])),
+        :host([static]:not([no-border])) {
+            background-color: var(
+                --ak-v2-c-drawer--m-inline--m-expanded__panel--after--BackgroundColor
+            );
+        }
+    }
+
+    :host([inline]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content {
+        overflow-x: auto;
+    }
+
+    :host([inline]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateX(100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([inline])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([inline][expanded]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: 0;
+        transform: translateX(0);
+    }
+
+    :host([inline][position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: 0;
+        margin-inline-end: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateX(-100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([inline][position="left"])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(-100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([inline][position="left"][expanded]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-end: 0;
+        transform: translateX(0);
+    }
+
+    :host([inline][position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-block-end: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateY(100%);
+    }
+
+    :host([inline][expanded][position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-block-end: 0;
+        transform: translateY(0);
+    }
+
+    :host([static]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    :host([static][position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-end: 0;
+        transform: translateX(0);
+    }
+
+    :host([static][position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    @media (min-width: 992px) {
+        :host([inline-on-lg]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content,
+        :host([static-on-lg]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content {
+            flex-shrink: 1;
+        }
+
+        :host([inline-on-lg]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel,
+        :host([static-on-lg]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer--m-expanded__panel--BoxShadow: none;
+        }
+
+        :host([inline-on-lg]:not([no-border])),
+        :host([static-on-lg]:not([no-border])) {
+            background-color: var(
+                --ak-v2-c-drawer--m-inline--m-expanded__panel--after--BackgroundColor
+            );
+        }
+    }
+
+    :host([inline-on-lg]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content {
+        overflow-x: auto;
+    }
+
+    :host([inline-on-lg]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateX(100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([inline-on-lg])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([inline-on-lg][expanded]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: 0;
+        transform: translateX(0);
+    }
+
+    :host([inline-on-lg][position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: 0;
+        margin-inline-end: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateX(-100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([inline-on-lg][position="left"])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(-100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([inline-on-lg][position="left"][expanded])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        margin-inline-end: 0;
+        transform: translateX(0);
+    }
+
+    :host([inline-on-lg][position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-block-end: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateY(100%);
+    }
+
+    :host([inline-on-lg][expanded][position="bottom"])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        margin-block-end: 0;
+        transform: translateY(0);
+    }
+
+    :host([static-on-lg]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    :host([static-on-lg][position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-end: 0;
+        transform: translateX(0);
+    }
+
+    :host([static-on-lg][position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    @media (min-width: 1200px) {
+        :host([inline-on-xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content,
+        :host([static-on-xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content {
+            flex-shrink: 1;
+        }
+
+        :host([inline-on-xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel,
+        :host([static-on-xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer--m-expanded__panel--BoxShadow: none;
+        }
+
+        :host([inline-on-xl]:not([no-border])),
+        :host([static-on-xl]:not([no-border])) {
+            background-color: var(
+                --ak-v2-c-drawer--m-inline--m-expanded__panel--after--BackgroundColor
+            );
+        }
+    }
+
+    :host([inline-on-xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content {
+        overflow-x: auto;
+    }
+
+    :host([inline-on-xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateX(100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([inline-on-xl])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([inline-on-xl][expanded]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: 0;
+        transform: translateX(0);
+    }
+
+    :host([inline-on-xl][position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: 0;
+        margin-inline-end: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateX(-100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([inline-on-xl][position="left"])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(-100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([inline-on-xl][position="left"][expanded])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        margin-inline-end: 0;
+        transform: translateX(0);
+    }
+
+    :host([inline-on-xl][position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-block-end: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateY(100%);
+    }
+
+    :host([inline-on-xl][expanded][position="bottom"])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        margin-block-end: 0;
+        transform: translateY(0);
+    }
+
+    :host([static-on-xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    :host([static-on-xl][position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-end: 0;
+        transform: translateX(0);
+    }
+
+    :host([static-on-xl][position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    @media (min-width: 1450px) {
+        :host([inline-on-2xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content,
+        :host([static-on-2xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content {
+            flex-shrink: 1;
+        }
+
+        :host([inline-on-2xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel,
+        :host([static-on-2xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+            --ak-v2-c-drawer--m-expanded__panel--BoxShadow: none;
+        }
+
+        :host([inline-on-2xl]:not([no-border])),
+        :host([static-on-2xl]:not([no-border])) {
+            background-color: var(
+                --ak-v2-c-drawer--m-inline--m-expanded__panel--after--BackgroundColor
+            );
+        }
+    }
+
+    :host([inline-on-2xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__content {
+        overflow-x: auto;
+    }
+
+    :host([inline-on-2xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateX(100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([inline-on-2xl])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([inline-on-2xl][expanded]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: 0;
+        transform: translateX(0);
+    }
+
+    :host([inline-on-2xl][position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-start: 0;
+        margin-inline-end: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateX(-100%);
+    }
+
+    :where(.ak-v2-m-dir-rtl, [dir="rtl"])
+        :host([inline-on-2xl][position="left"])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        transform: translateX(calc(-100% * var(--ak-v2-global--inverse--multiplier)));
+    }
+
+    :host([inline-on-2xl][position="left"][expanded])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        margin-inline-end: 0;
+        transform: translateX(0);
+    }
+
+    :host([inline-on-2xl][position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-block-end: calc(var(--ak-v2-c-drawer__panel--FlexBasis) * -1);
+        transform: translateY(100%);
+    }
+
+    :host([inline-on-2xl][expanded][position="bottom"])
+        .ak-v2-c-drawer__main
+        > .ak-v2-c-drawer__panel {
+        margin-block-end: 0;
+        transform: translateY(0);
+    }
+
+    :host([static-on-2xl]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    :host([static-on-2xl][position="left"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        margin-inline-end: 0;
+        transform: translateX(0);
+    }
+
+    :host([static-on-2xl][position="bottom"]) .ak-v2-c-drawer__main > .ak-v2-c-drawer__panel {
+        transform: translateX(0);
+    }
+
+    @media screen and (min-width: 1200px) {
+        :host([position="bottom"]) {
+            --ak-v2-c-drawer__panel--MinWidth: auto;
+            --ak-v2-c-drawer__panel--MinHeight: var(
+                --ak-v2-c-drawer--m-panel-bottom__panel--xl--MinHeight
+            );
+        }
+    }
+`;
+//
+export default styles;
--- a/web/src/elements/ak-drawer/ak-drawer.ts
+++ b/web/src/elements/ak-drawer/ak-drawer.ts
@@ -1,11 +1,11 @@
-import { Drawer } from "./ak-drawer.component.js";
+import { AkDrawer } from "./ak-drawer.component.js";

-export { Drawer };
+export { AkDrawer };

-window.customElements.define("ak-drawer", Drawer);
+window.customElements.define("ak-drawer", AkDrawer);

 declare global {
    interface HTMLElementTagNameMap {
-        "ak-drawer": Drawer;
+        "ak-drawer": AkDrawer;
    }
 }
--- a/web/src/elements/ak-drawer/drawerResizeController.ts
+++ b/web/src/elements/ak-drawer/drawerResizeController.ts
@@ -0,0 +1,195 @@
+import { type AkDrawer } from "./ak-drawer.component";
+
+import { match, P } from "ts-pattern";
+
+import { ReactiveController, ReactiveControllerHost } from "lit";
+
+type DrawerResizeControllerHost = ReactiveControllerHost & AkDrawer;
+type Position = "start" | "end" | "left" | "right" | "bottom";
+
+const oneOf = P.union;
+
+const DEFAULT_SIZE_PROPERTY_NAME = "--ak-v2-c-drawer__panel--md--FlexBasis";
+const DEFAULT_RESIZE_INCREMENT = 5;
+
+interface ResizeControllerProps {
+    sizeProperty?: string;
+    resizeIncrement?: number;
+}
+
+export class DrawerResizeController implements ReactiveController {
+    #abortController: AbortController | null = null;
+
+    #positions: {
+        start: number;
+        end: number;
+        bottom: number;
+    } = { start: 0, end: 0, bottom: 0 };
+
+    public resizeIncrement: number;
+    public sizeProperty: string;
+
+    constructor(
+        private host: DrawerResizeControllerHost,
+        props: ResizeControllerProps = {},
+    ) {
+        this.resizeIncrement = props.resizeIncrement ?? DEFAULT_RESIZE_INCREMENT;
+        this.sizeProperty = props.sizeProperty ?? DEFAULT_SIZE_PROPERTY_NAME;
+    }
+
+    endController() {
+        this.#abortController?.abort();
+        this.#abortController = null;
+    }
+
+    restartController() {
+        this.endController();
+        this.#abortController = new AbortController();
+        return this.#abortController.signal;
+    }
+
+    hostQ(part: string): HTMLElement {
+        const element = this.host.renderRoot.querySelector(part);
+        if (element === null || !(element instanceof HTMLElement)) {
+            throw new Error(`Could not identify requested part ${element}`);
+        }
+        return element;
+    }
+
+    get drawer() {
+        return this.hostQ('[part="drawer"]');
+    }
+
+    get panel() {
+        return this.hostQ('[part="drawer-panel"]');
+    }
+
+    get content() {
+        return this.hostQ('[part="drawer-panel-main"]');
+    }
+
+    get splitter() {
+        return this.hostQ('[part="drawer-splitter"]');
+    }
+
+    get inline() {
+        return this.host.hasAttribute("inline");
+    }
+
+    get position(): Position {
+        return (this.host.getAttribute("position") || "end") as Position;
+    }
+
+    initPositions() {
+        const pan = this.panel.getBoundingClientRect();
+        this.#positions = { start: pan.left, end: pan.right, bottom: pan.bottom };
+    }
+
+    setResizing(resizing: boolean = true) {
+        if (resizing) {
+            this.host.setAttribute("resizing", "");
+        } else {
+            this.host.removeAttribute("resizing");
+        }
+    }
+
+    get isResizing() {
+        return this.host.hasAttribute("resizing");
+    }
+
+    handleMove(ev: MouseEvent | TouchEvent, controlPosition: number) {
+        ev.stopPropagation();
+        const newSize = match(this.position)
+            .with(oneOf("end", "right"), () => this.#positions.end - controlPosition)
+            .with(oneOf("start", "left"), () => controlPosition - this.#positions.start)
+            .with("bottom", () => this.#positions.bottom - controlPosition)
+            .otherwise(() => {
+                throw new Error(`Do not recognize position: ${this.position}`);
+            });
+        if (this.position === "bottom") {
+            this.panel.style.overflowAnchor = "none";
+        }
+        this.panel.style.setProperty(DEFAULT_SIZE_PROPERTY_NAME, `${newSize}px`);
+    }
+
+    handleMouseMove = (ev: MouseEvent) => {
+        this.handleMove(ev, this.position === "bottom" ? ev.clientY : ev.clientX);
+    };
+
+    handleTouchMove = (ev: TouchEvent) => {
+        ev.preventDefault();
+        ev.stopImmediatePropagation();
+        const touch = ev.touches[0];
+        this.handleMove(ev, this.position === "bottom" ? touch.clientY : touch.clientX);
+    };
+
+    handleMouseUp = () => {
+        this.setResizing(false);
+        this.initPositions();
+        this.restartController();
+    };
+
+    handleTouchEnd = (ev: TouchEvent) => {
+        ev.stopPropagation();
+        this.handleMouseUp();
+    };
+
+    handleTouchStart = (ev: TouchEvent) => {
+        ev.stopPropagation();
+        const signal = this.restartController();
+        document.addEventListener("touchmove", this.handleTouchMove, { passive: false, signal });
+        document.addEventListener("touchend", this.handleTouchEnd, { signal });
+        this.initPositions();
+        this.setResizing();
+    };
+
+    handleMouseDown = (ev: MouseEvent) => {
+        ev.stopPropagation();
+        ev.preventDefault();
+        const signal = this.restartController();
+        document.addEventListener("mousemove", this.handleMouseMove, { signal });
+        document.addEventListener("mouseup", this.handleMouseUp, { signal });
+        this.initPositions();
+        this.setResizing();
+    };
+
+    handleKeyDown = (ev: KeyboardEvent) => {
+        const key = ev.key;
+        const positionKeys =
+            this.position === "bottom" ? ["ArrowUp", "ArrowDown"] : ["ArrowLeft", "ArrowRight"];
+        const validKeys = ["Escape", "Enter", ...positionKeys];
+
+        // Prevent default behavior when resizing, but otherwise let it pass.
+        if (!validKeys.includes(key)) {
+            if (this.isResizing) {
+                ev.preventDefault();
+            }
+            return;
+        }
+        ev.preventDefault();
+
+        const delta = match([key, this.position])
+            .with(["ArrowRight", oneOf("end", "right")], () => -1 * this.resizeIncrement)
+            .with(["ArrowLeft", oneOf("end", "right")], () => this.resizeIncrement)
+            .with(["ArrowRight", oneOf("start", "left")], () => this.resizeIncrement)
+            .with(["ArrowLeft", oneOf("start", "left")], () => -1 * this.resizeIncrement)
+            .with(["ArrowUp", "bottom"], () => this.resizeIncrement)
+            .with(["ArrowDown", "bottom"], () => -1 * this.resizeIncrement)
+            .otherwise(() => 0);
+
+        const { height, width } = this.panel.getBoundingClientRect();
+        const newSize = (this.position === "bottom" ? height : width) + delta;
+        this.panel.style.setProperty(DEFAULT_SIZE_PROPERTY_NAME, `${newSize}px`);
+    };
+
+    hostConnected() {
+        this.host.updateComplete.then(() => {
+            this.initPositions();
+        });
+    }
+
+    hostDisconnected() {
+        this.#abortController?.abort();
+        this.#abortController = null;
+    }
+}
--- a/web/src/elements/wizard/Wizard.ts
+++ b/web/src/elements/wizard/Wizard.ts
@@ -62,23 +62,6 @@ export class AKWizard<S = Record<string, unknown>> extends AKElement {
                display: block;
                height: min(var(--ak-c-dialog--AspectRatioHeight), var(--ak-c-dialog--MaxHeight));
            }
-
-            .pf-c-wizard__main {
-                overscroll-behavior: contain;
-                display: flex;
-                flex-flow: column;
-            }
-
-            .pf-c-wizard__main,
-            .pf-c-wizard__main-body {
-                transform: translate3d(0, 0, 0);
-                will-change: transform;
-            }
-
-            .pf-c-wizard__main-body {
-                display: flex;
-                flex: 1 1 auto;
-            }
        `,
    ];

@@ -521,6 +504,12 @@ export class AKWizard<S = Record<string, unknown>> extends AKElement {
                    return html`<p>Unexpected missing step: ${step}</p>`;
                }

+                // By default, disable steps ahead of the current step
+                let disabled = activeStepIndex < idx;
+                // If this wizard is at the end, disable navigation back
+                if (activeStepIndex === this.steps.length - 1 && idx !== activeStepIndex) {
+                    disabled = true;
+                }
                return html`<li role="presentation" class="pf-c-wizard__nav-item">
                    <button
                        class=${classMap({
@@ -528,7 +517,7 @@ export class AKWizard<S = Record<string, unknown>> extends AKElement {
                            "pf-m-current": idx === activeStepIndex,
                        })}
                        type="button"
-                        ?disabled=${activeStepIndex < idx}
+                        ?disabled=${disabled}
                        @click=${() => {
                            this.activeStepElement = stepEl;
                        }}
--- a/web/src/flow/inspector/FlowInspectorButton.ts
+++ b/web/src/flow/inspector/FlowInspectorButton.ts
@@ -73,9 +73,9 @@ export class FlowInspectorButton extends WithCapabilitiesConfig(AKElement) {
        const drawer = document.getElementById("flow-drawer");
        if (changed.has("open") && drawer) {
            if (this.open) {
-                drawer.setAttribute("open", "");
+                drawer.setAttribute("expanded", "");
            } else {
-                drawer.removeAttribute("open");
+                drawer.removeAttribute("expanded");
            }
        }
    }
--- a/web/src/styles/authentik/base/variables.css
+++ b/web/src/styles/authentik/base/variables.css
@@ -44,8 +44,90 @@
    --ak-sidebar--minimum-auto-width: 80rem;
 }

-html[data-theme="dark"] {
-    --ak-global--BackgroundColorContrast--100: var(--pf-global--palette--black-150);
+/* #region Root globals, V2 */
+:root {
+    /* ---- Background Colors ---- */
+    --ak-v2-global--BackgroundColor--100: #fff;
+    --ak-v2-global--BorderWidth--sm: 1px;
+
+    /* ---- Text Colors ---------- */
+    --pf-v5-global--Color--100: #151515;
+
+    /* ---- Border Colors -------- */
+    --ak-v2-global--BorderColor--100: #d2d2d2;
+    --ak-v2-global--BorderColor--200: #8a8d90;
+
+    /* ---- Box Shadows ------ */
+    --ak-v2-global--BoxShadow--lg:
+        0 0.5rem 1rem 0 rgba(3, 3, 3, 0.16), 0 0 0.375rem 0 rgba(3, 3, 3, 0.08);
+    --ak-v2-global--BoxShadow--lg-top: 0 -0.75rem 0.75rem -0.5rem rgba(3, 3, 3, 0.18);
+    --ak-v2-global--BoxShadow--lg-right: 0.75rem 0 0.75rem -0.5rem rgba(3, 3, 3, 0.18);
+    --ak-v2-global--BoxShadow--lg-bottom: 0 0.75rem 0.75rem -0.5rem rgba(3, 3, 3, 0.18);
+    --ak-v2-global--BoxShadow--lg-left: -0.75rem 0 0.75rem -0.5rem rgba(3, 3, 3, 0.18);
+
+    /* ---- Spacers -------------- */
+    --ak-v2-global--spacer--xs: 0.25rem;
+    --ak-v2-global--spacer--sm: 0.5rem;
+    --ak-v2-global--spacer--md: 1rem;
+    --ak-v2-global--spacer--lg: 1.5rem;
+    --ak-v2-global--spacer--xl: 2rem;
+    --ak-v2-global--spacer--2xl: 3rem;
+    --ak-v2-global--spacer--3xl: 4rem;
+    --ak-v2-global--spacer--4xl: 5rem;
+    --ak-v2-global--spacer--form-element: 0.375rem;
+    --ak-v2-global--gutter: 1rem;
+    --ak-v2-global--gutter--md: 1.5rem;
+
+    /* ---- Z-Index -------------- */
+    --ak-v2-global--ZIndex--xs: 100;
+    --ak-v2-global--ZIndex--sm: 200;
+
+    /* ---- Animation ------------ */
+    --ak-v2-global--TransitionDuration: 250ms;
+
+    /* ---- Customization Bridge - */
+    --ak-v2-global--dark-background: var(--ak-dark-background);
+}
+
+/* -------- Dark Theme ------------------------------- */
+
+[data-theme="dark"] {
+    /* ---- Background Colors ---- */
+    --ak-v2-global--BackgroundColor--100: #18191a;
+
+    /* ---- Text Colors ---------- */
+    --ak-v2-global--Color--100: #e0e0e0;
+
+    /* ---- Border Colors -------- */
+    --ak-v2-global--BorderColor--100: #444548;
+    --ak-v2-global--BorderColor--200: #444548;
+
+    /* ---- Box Shadows ------ */
+    --ak-v2-global--BoxShadow--lg:
+        0 0.5rem 1rem 0 rgba(3, 3, 3, 0.64), 0 0 0.375rem 0 rgba(3, 3, 3, 0.32);
+    --ak-v2-global--BoxShadow--lg-top: 0 -0.75rem 0.75rem -0.5rem rgba(3, 3, 3, 0.72);
+    --ak-v2-global--BoxShadow--lg-right: 0.75rem 0 0.75rem -0.5rem rgba(3, 3, 3, 0.72);
+    --ak-v2-global--BoxShadow--lg-bottom: 0 0.75rem 0.75rem -0.5rem rgba(3, 3, 3, 0.72);
+    --ak-v2-global--BoxShadow--lg-left: -0.75rem 0 0.75rem -0.5rem rgba(3, 3, 3, 0.72);
+}
+
+/* -------- Semantic Names -------------------------- */
+
+:root {
+    /* ---- Background Colors ---- */
+    --ak-v2-global--ContentSurface: var(--ak-v2-global--BackgroundColor--100);
+    --ak-v2-global--SecondaryContentSurface: var(--ak-v2-global--BackgroundColor--200);
+    /* Not sure what to call this next one; this is the background color Patternfly uses when you hover
+       over something and it changes color to indicate it's interactive in some way. It's the same
+       color as the one above in their default theme. */
+    --ak-v2-global--AffordanceIndicatedSurface: var(--ak-v2-global--BackgroundColor--200);
+
+    /* ---- Text Colors ---- */
+    --ak-v2-global--PrimaryText: var(--ak-v2-global--Color--100);
+
+    /* ---- Border Colors ---- */
+    --ak-v2-global--StandardBorder: var(--pf-v5-global--BorderColor--100);
+    --ak-v2-global--InputAccentBorder: var(--pf-v5-global--BorderColor--200);
 }

 /* #endregion */
--- a/web/src/styles/authentik/components/Modal/modal.css
+++ b/web/src/styles/authentik/components/Modal/modal.css
@@ -8,7 +8,7 @@

    --pf-c-modal-box__header--PaddingTop: var(--ak-c-modal-box__header--BlockSpacer);

-    --ak-c-modal-box__footer--BlockSpacer: clamp(0.25em, var(--pf-global--spacer--xl), 3cqb);
+    --ak-c-modal-box__footer--BlockSpacer: clamp(0.25em, var(--pf-global--spacer--xl), 2cqb);
    --pf-c-modal-box__footer--PaddingTop: var(--ak-c-modal-box__footer--BlockSpacer);
    --pf-c-modal-box__footer--PaddingBottom: var(--ak-c-modal-box__footer--BlockSpacer);
 }
--- a/web/src/styles/authentik/components/Wizard/wizard.css
+++ b/web/src/styles/authentik/components/Wizard/wizard.css
@@ -10,26 +10,44 @@
    --pf-c-wizard__close--Right: var(--ak-c-wizard__header--InlineSpacer);
    --pf-c-wizard__close--Top: var(--ak-c-wizard__header--BlockSpacer);

-    --ak-c-wizard__footer--BlockSpacer: clamp(0.25em, var(--pf-global--spacer--xl), 3cqb);
+    --ak-c-wizard__footer--BlockSpacer: clamp(0.25em, var(--pf-global--spacer--xl), 2cqb);
    --pf-c-wizard__footer--PaddingTop: var(--ak-c-wizard__footer--BlockSpacer);
    --pf-c-wizard__footer--PaddingBottom: var(--ak-c-wizard__footer--BlockSpacer);
    --pf-c-wizard__footer--child--MarginBottom: 0;
 }

+.pf-c-wizard__main {
+    overscroll-behavior: contain;
+    display: flex;
+    flex-flow: column;
+    height: min(var(--ak-c-dialog--MaxHeight), 100cqi);
+}
+
 .pf-c-wizard__main-body {
    --ak-c-fieldset--BorderColor: var(--pf-global--BackgroundColor--150);

+    display: flex;
+    flex: 1 1 auto;
    gap: var(--pf-global--spacer--lg);

-    fieldset {
-        .pf-c-description-list {
-            margin-inline: var(--pf-global--spacer--sm);
-        }
+    .ak-c-fieldset .pf-c-description-list {
+        margin-inline: var(--pf-global--spacer--sm);
    }
+
+    & > .pf-c-form {
+        place-content: start;
+    }
+}
+
+.pf-c-wizard__main,
+.pf-c-wizard__main-body {
+    transform: translate3d(0, 0, 0);
+    will-change: transform;
 }

 .pf-c-wizard__main-title {
    width: 100%;
+    flex: 0 0 auto;
    font-family: var(--pf-global--FontFamily--heading--sans-serif);
    font-size: var(--pf-global--FontSize--md);
    font-weight: var(--pf-global--FontWeight--bold);
--- a/Show More
+++ b/Show More